6

As I understand it, SPF works by listing permitted SMTP server domains in the TXT DNS record of the domain you own.

So if I own example.com and wish to permit a 3rd-party SMTP server at smtpexample.com to send emails on behalf of my domain, I add smtpexample.com to the SPF record, in the TXT field of my server's DNS entry.

Because DNS is publicly viewable, anyone can see my SPF entry and deduce that I am using smtpexample.com for sending email.

If smtpexample.com were a shared hosting provider, couldn't I sign up for an account with them and send emails purporting to be from admin@example.com?

So are the emails are considered legitimate, because they come from the SMTP server which is listed in example.com's SPF record?

Widor
  • 311
  • 2
  • 8
  • Great question, this is very relevant for everyone using shared email servers like we do with Outlook365. Does Outlook ensure that the `from:` field is not abused? I hope so! – Cornelius Roemer Jan 25 '20 at 20:13

2 Answers2

8

SPF is designed to protect against someone using their own server to send e-mail with your from address. For instance, spammers might use a botnet of compromised PCs or devices to connect directly to the target SMTP server, making a blacklist of sending servers very hard to implement; because SPF is a whitelist, the recipient can detect that this is a spoofed message and mark it as spam.

As you say, it does not protect against other users using the same server as you. Essentially, any server you whitelist in the SPF record should be one that you trust not to allow other users to spoof your identity. For instance, if you whitelist GMail's outgoing servers, you are trusting Google to only route messages through those servers which were created by someone logged into your account.

Theoretically, you could use DKIM to share an untrusted server without this risk - if you keep the only copy of the private key somewhere other than the shared server, nobody will be able to spoof your mail. In practice, however, DKIM signatures are commonly added by the same service as is running the shared SMTP server - so, for instance, you could set up DKIM for mail you're sending through GMail, and would still be trusting Google not to let other users sign their mail with the same key.

IMSoP
  • 3,780
  • 1
  • 15
  • 19
  • Thanks, that's what I was hoping. Can I trust Microsoft to not allow others to send email from any other `from:` than domains they own? Would the expectation in InfoSec community be that they prevent such abuse? I.e. if it was possible, would this shock people, be acknowledged as a vulnerability/bug and eventually get fixed? – Cornelius Roemer Jan 25 '20 at 20:16
-2

Just to add more information be aware that a spammer can setup a server with his one domain "mylovelydomain.com" and create his SPF record, that points to X.Y.Z.W and your SPF tests will pass because the message came from the IP X.Y.Z.W IP with the domain "mylovelydomain.com". SPF is a first layer of defense, you need to combine other techniques such as DKIM, DMARC, Virtual Dmarc if you want to setup properly.

camp0
  • 2,172
  • 1
  • 10
  • 10
  • Just to clarify, by "your SPF tests will pass", do you mean "the SPF tests carried out by the receiving server"? Maybe the answer can be expanded with a clearer story of who is doing what, and what is being spoofed. – IMSoP May 16 '18 at 13:59
  • If your server receives a message from the IP X.Y.Z.W from the domain "mylovelydomain.com" and you perform a SPF check this will happen: 1. take the DNS txt record of mylovelydomain.com. 2. verify that the IP X.Y.Z.W belongs to the TXT record, in this case, the IP is the same, so as consequence of this your tests will pass. Sorry if I'm not explain my self correctly. Basically is that any one can setup a server and create a TXT record. – camp0 May 16 '18 at 14:05
  • That description still doesn't clarify where the spoofing happens - yes, "my" server (I still think the use of "your" is confusing here) will see that the record for "mylovelydomain.com" is who they claim to be; but how does that relate to the "example.com" and "smtpexample.com" owned by the legitimate user? This answer doesn't currently say how doing this helps the spammer to spoof anything, so it needs to be [edit]ed to explain. Also beware of treating this as a forum - the answer should address *the question on this page*, not be a general discussion of the pros and cons of SPF in general. – IMSoP May 16 '18 at 14:21
  • I don't think this answers my question - your scenario is just someone registering an arbitrary domain and sending _from that domain_. I'm talking about spoofing from a different domain, but being trusted because the SMTP server you use is the same one as they have in their SPF. – Widor May 16 '18 at 14:45