Why SPF checks seem to be useless?

email spf

I set an SPF record for a domain, however spoofing the sender still works, the reason is quite simple:

It seems that there are 3 various "from" in e-mail:

  • Reply to
  • Return path
  • Envelope from

See https://stackoverflow.com/questions/1235534/what-is-the-behavior-difference-between-return-path-reply-to-and-from for more info

Your mail client is displaying reply to as sender's e-mail, however mail servers seem to do SPF checks against return path or envelope from which makes no sense to me.

It means that if I send an e-mail that will say return path and envelope from are hacker.net and reply to is [email protected] which I am trying to spoof, it will check for SPF of hacker.net, now suppose that it was my domain which I configured SPF for, it would pass and get delivered to victim's mailbox as mail from [email protected] even if I am not allowed to deliver emails for victim.org, effectively bypassing SPF check.

Is there a way to fix that? It seems that only DMARC is able to prevent this, but if that's true, what is the point of SPF checks?


Solution 1:

Just to complete your list of various "From" values, I would add :

  • From, which is the header set by the client and defined in RFC 5322 (RFC 5322.From)
  • Reply to, is also a header set by the client and defined in RFC 5322
  • Return path and Envelope from both refer to the argument of the MAIL FROM command during SMTP session (RFC 5321.MailFrom)

The purpose of DMARC is to convey the policy to apply to messages that fail both SPF and DKIM, instead of relying on the local policies. This policy is expressed by the owner of the domain name of the sender (using the p= parameter of the DMARC record).

During DMARC evaluation, there is a Identifier alignment check (see RFC 7489 Section-3.1) that ensures that either :

  • the domain name of the RFC 5321.MailFrom of the passed SPF matches the domain of the RFC 5322.From
  • the domain name used in the passed DKIM matches the domain of the RFC 5322.From

So to fix your problem, you should publish a DMARC record in the victim.org DNS zone : 

_dmarc.victim.org IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]"

This will ensure that a failed identifier alignment, as in your example, will lead to a DMARC failure and the message will be flagged as spam.

The point of the SPF check is to ensure that the IP address of the client during the SMTP session is allowed by the the owner of hacker.net. In your example, SPF is here to protect hacker.net not victim.org :-)

If you want a bird eye's view, I published a post with a illustration of how SPF, DKIM and DMARC work together to prevent spear-phishing (scroll to the middle of the post)

Related

I can only see 1.5TB of my 4TB hard drive. How do I fix this?
Changing a font's number form in PowerPoint
Create a second network on same physical LAN?
Why Is Conversion From An MP3 To WAV (PCM) Lossless?
how to check if a URL is visible from the public Internet
Anything faster than grep? [closed]
Disable trackpad on windows 10
Skype Bandwidth Usage
How to find out who (what process) is starting another process?
How to change syntax for a specific folder in Sublime Text 3
what does the 'set -g' command do in tmux?
How do I give files and directories created by FTP the correct permissions for Apache to read and write them?