1
I set an SPF record for a domain, however spoofing the sender still works, the reason is quite simple:
It seems that there are 3 various "from" in e-mail:
- Reply to
- Return path
- Envelope from
See https://stackoverflow.com/questions/1235534/what-is-the-behavior-difference-between-return-path-reply-to-and-from for more info
Your mail client is displaying reply to
as sender's e-mail, however mail servers seem to do SPF checks against return path
or envelope from
which makes no sense to me.
It means that if I send an e-mail that will say return path
and envelope from
are hacker.net
and reply to
is someone@victim.org
which I am trying to spoof, it will check for SPF of hacker.net
, now suppose that it was my domain which I configured SPF for, it would pass and get delivered to victim's mailbox as mail from someone@victim.org
even if I am not allowed to deliver emails for victim.org
, effectively bypassing SPF check.
Is there a way to fix that? It seems that only DMARC
is able to prevent this, but if that's true, what is the point of SPF checks?