0

I was reading about SPF lately and got to know that SPF fails to identify spoofing when the spammer sends email with the envelope-from pointing to a domain that he/she controls and there is a completely different domain that the receiving client sees. I was just wondering why not do a check against the domain that the sender sees?

Thanks

Abhishek Arya
  • 450
  • 4
  • 16
  • 1
    I guess the question boils down to "Why is envelope-from separate from header From in the first place?" – IMSoP Jun 30 '20 at 16:56
  • No, that's not what I mean. – Abhishek Arya Jun 30 '20 at 17:20
  • What I meant was, if there is any purpose to envelope-from and header-from having different values, then there is a purpose for SPF to only verify one or the other. So understanding what the different values are for is key to understanding why SPF works the way it does. – IMSoP Jul 01 '20 at 08:17

2 Answers2

0

Because SPF is about origin, not content, and the envelope sender doesn't need to be the same as the from address.

There is a mechanism for validating the From address and checking its alignment with the envelope sender, but it's not SPF, it's DMARC. Complete the trinity with DKIM, and you've got most of what you can reasonably control with email nailed down.

Synchro
  • 35,538
  • 15
  • 81
  • 104
  • 1
    I asked one of my colleagues as well. According to him, although spoofers can take advantage of SPF's design. But, it still makes it a bit harder to do that. Given that at the time SPF was created, nothing was there , so even not-so-good SPF was something to cherish about. Regarding, why not use the message-from, it was done to avoid breaking of mail forwarding mechanisms currently in place. – Abhishek Arya Jun 30 '20 at 17:26
  • 1
    @AbhishekArya That sounds like an answer, rather than a comment (this site tries to strictly distinguish between the two; comments are for clarifying an existing question or answer, not general discussion). – IMSoP Jul 01 '20 at 08:14
  • 1
    SPF is fine for what it is designed to do, which is to identify email sources, and it still performs that task effectively, and it does not require receivers/relays to parse email messages, which checking the From address header *does* require. Complaining that it doesn't address things it was not designed for isn't constructive; use protocols for what they are designed for, so you should implement SPF, DKIM, *and* DMARC, with the strictest settings you can. Also look at [SRS](https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme) to see how SPF can still be used for forwarders. – Synchro Jul 01 '20 at 08:22
0

I asked one of my colleagues as well. According to him, although spoofers can take advantage of SPF's design. But, it still makes it a bit harder to do that. Given that at the time SPF was created, nothing was there , so even not-so-good SPF was something to cherish about. Regarding, why not use the message-from, it was done to avoid breaking of mail forwarding mechanisms currently in place.

Abhishek Arya
  • 450
  • 4
  • 16