0

Other people are using my domain to send emails. I am trying to protect it by setting up a SPF record. This is my SPF record: "v=spf1 -all"

However, look like it doesn't work. I have tried to send an email using PHP mail() function on another server (server.anotherserver.com) to my gmail account (user@gmail.com) and it still get passed. This is my PHP code 

$to      = 'user@gmail.com';
$subject = 'Hi John';
$message = 'some testing message.';
$headers = 'From: David <david@domainneedtoprotect.com>' . "\r\n" .
    'Reply-To: David <david@domainneedtoprotect.com>' . "\r\n" .
    'X-Mailer: PHP/' . phpversion();
echo mail($to, $subject, $message, $headers);

This is email header 

Delivered-To: user@gmail.com
Received: by 2002:a9d:4ea:0:0:0:0:0 with SMTP id 97-v6csp237297otm;
        Thu, 26 Apr 2018 20:01:07 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZo8W6PcVPS9JJ7JvcjFKwAbHEOc996jYV8o1DAKSepBnraoO9DvnmS5bD0gDCLVVCpSctaJ
X-Received: by 2002:a6b:1b12:: with SMTP id b18-v6mr500663iob.175.1524798067671;
        Thu, 26 Apr 2018 20:01:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524798067; cv=none;
        d=google.com; s=arc-20160816;
        b=GnxYdW+EzYhkh4OQ77lrJoX4Dn01G6NLW1W6AbEJqi+oURIlb/+gUNT1XTiaIfRpXz
         /w2fbOD2+c6HWDs0kd0+d+IYeDDxY1erDaTDBpQpobbbmIWjZR7msDjkXct/FCHqCEfG
         MU72WUJDOdm6B25C3as25pPla8jZiyB3tMa6RVsYa4xSS3Cv5KXs05MNF7TCe7afqeVh
         JxRi3cBXrUBOooKmz3yMnW1eNIdYyttYhdDAcIkKPg5y8MEvOykKaOBWXT4ubJD9RzNe
         dWPd1JGM2oNmNLetBdZN/zPYvzlEaesto1nIuymSR5aofUbwRgAPxUOUUS3+abFqNFGt
         MFdw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=date:message-id:reply-to:from:subject:to:arc-authentication-results;
        bh=pCTg3g3fVX/lpYNMvqS28mm10FAiXhKWQyHZdykc970=;
        b=Kb14UW6VEAF8346yiR/Pr49rF0TptwCHcLKpNIpUS62qFgovUXpPOpk672ccniE1vc
         4CehMlSSGRifbt4YsATLfRdRSUGI4FhsWBLsgnzY1TXH5stw7TeifG7mGrs0Yvs6OERk
         S8+0HLDp1vMd6QJetW9wNrQWwGd1pfrC+cDCaXmH/UNFxWOJjbjRWNbFofoDRVkNsFn6
         MfOlpNOdGRrZQ1461ETR9UQ94v7RqfGHPpbhsMpuAExlIOK4k0w1dNNZgsltgpra3+Q0
         aEwc0YA+VIkVp0wEn7Djra2hTA/sudZbjcwORhFoGIKWwIxYfj2EbptNLekhgwAwNpts
         vQRg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=neutral (google.com: 68.66.194.78 is neither permitted nor denied by best guess record for domain of user@server.adomain.com) smtp.mailfrom=user@server.anotherserver.com
Return-Path: <user@server.anotherserver.com>
Received: from server.anotherserver.com ([68.66.194.78])
        by mx.google.com with ESMTPS id e68-v6si129126itc.115.2018.04.26.20.01.07
        for <user@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 26 Apr 2018 20:01:07 -0700 (PDT)
Received-SPF: neutral (google.com: 68.66.194.78 is neither permitted nor denied by best guess record for domain of user@server.anotherserver.com) client-ip=68.66.194.78;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 68.66.194.78 is neither permitted nor denied by best guess record for domain of user@server.anotherserver.com) smtp.mailfrom=user@server.anotherserver.com
Received: from webuser by server.anotherserver.com with local (Exim 4.89_1) (envelope-from <user@server.anotherserver.com>) id 1fBtdD-0005qG-32 for user@gmail.com; Thu, 26 Apr 2018 19:01:07 -0800
To: user@gmail.com
Subject: Hi Tony
X-PHP-Script: anotherserver.com/test.php for 203.219.102.86, 192.88.134.7
X-PHP-Originating-Script: 501:test.php
From: David <david@domainneedtoprotect.com>
Reply-To: David <david@domainneedtoprotect.com>
X-Mailer: PHP/7.0.29
Message-Id: <E1fBtdD-0005qG-32@server.anotherserver.com>
Date: Thu, 26 Apr 2018 19:01:07 -0800
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.anotherserver.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [501 32007] / [47 12]
X-AntiAbuse: Sender Address Domain - server.anotherserver.com
X-Get-Message-Sender-Via: server.anotherserver.com: authenticated_id: webuser/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: server.anotherserver.com: webuser
X-Source: /opt/cpanel/ea-php70/root/usr/bin/lsphp
X-Source-Args: lsphp:/home/webuser/public_html/test.php
X-Source-Dir: anotherserver.com:/public_html

Please let me know where I did wrong. I am not very good at DNS. Thank you.

Pang
  • 9,564
  • 146
  • 81
  • 122
Ty Trinh
  • 37
  • 6

1 Answers1

1

It's because SPF is checked using the envelope sender, not the from header. The receiving mail server adds the envelope sender as a return-path header, which for you looks like:

Return-Path: <user@server.anotherserver.com>

and that's the domain the SPF is checked on, which presumably in your case is different to your domain.

If you add an SPF record for the domain the envelope sender is using, it will see the right SPF record and be failed/blocked as it should. It's a good idea to add a DMARC policy as well so that receivers know what to do with SPF failures, in which case you should set the SPF policy to ~all and your DMARC policy to reject.

You may not be able to do this if the sender domain is not under your control, e.g. it's your ISP. The workaround for that is to run your own mail server, for example using the excellent mailinabox.email.

Synchro
  • 35,538
  • 15
  • 81
  • 104