4

If I understand correctly, the email receiver checks the validity of the origin of the email by matching the domain's IP of the MAIL FROM (Return-Path) address with the IPs listed in the domain's SPF policy (in the DNS).

What I don't get is that as a scammer, I could create any domain like xyzzzz.com, add an SPF policy in the DNS and set the MAIL FROM address as xyzzzz.com, and still spoof the From address (as the SPF only verifies identity based on the MAIL FROM address); and it is the From address that the final client actually sees.

Therefore I do not understand the benefits of SPF.

user2923322
  • 183
  • 5
  • 2
    SMTP is a protocol designed in the early days of the internet when few institutions were connected, ease of implementation was paramount and security much less of a concern. It has since then become so ubiquitous that industrial inertia resists a complete protocol overhaul and new and better protocols won't really catch on. SPF is only one of several methods to "fix" the shortcomings in SMTP by*"bolting on"* some additional of security that won't break the existing mail infrastructure and only attempts to fix one security flaw, not everything. See also DKIM and DMARC – HBruijn Feb 25 '19 at 14:00
  • 2
    Possible duplicate of [Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?](https://serverfault.com/questions/419407/fighting-spam-what-can-i-do-as-an-email-administrator-domain-owner-or-user) – Jenny D Feb 25 '19 at 14:54

1 Answers1

5

SPF is useful for verifying envelope sender addresses i.e. against forged senders (MAIL FROM). It was designed for that, not againsts forged headers. DKIM is designed to protect the headers and the body against forging and tampering. The From: header is always signed, other headers being optional.

DKIM can only protect mail that has been signed, but it doesn't provide a mechanism to prove that an unsigned message should have been signed. Now, it seems that both SPF and DKIM are powerless against spoofed address in the From: header. DMARC alignment comes to rescue! DMARC can enforce DKIM by telling the receiver how they should handle unsigned messages. DKIM+DMARC together protects the From: address.

Why is it still relevant to protect the MAIL FROM address? Why not use DKIM+DMARC alone?

  • SPF still protects your domain from being used as the envelope sender. Why would someone buy a random domain and use it as the envelope sender while there are plenty of existing unprotected domains? Without an SPF record someone could use your domain for that phase while spoofing someone elses domain in the headers.

  • DMARC alignment requires only either SPF or DKIM to pass. You might have some applications or devises that needs to use your domain in the From header, but aren't able to DKIM sign the messages. No worry if they pass the SPF test for the same domain. Likewise, you may have some 3rd party provider for sending newsletters on behalf of you, but allowing them on SPF level might be too extensive. Doesn't matter as long as they can DKIM sign the messages using an own selector.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • You said "_DKIM can only protect mail that has been signed, but it doesn't provide a mechanism to prove that an unsigned message should have been signed._". Does that make DKIM useless without DMARC? As **unsigned** messages can still be sent, and thus bypass any DKIM signature check. – user2923322 Feb 26 '19 at 05:09
  • It makes DKIM without DMARC useless against header forgery, but a valid signature still proves the signed content hasn't been tampered. – Esa Jokinen Feb 26 '19 at 06:03