Re: [mailop] SPF behavior on email forwarding

Fri, 14 Apr 2023 06:28:45 -0700 

On Fri, 14 Apr 2023, Cyril - ImprovMX via mailop wrote:


Hi!

What is the best approach when you receive an email that doesn't respect
the SPF (with a hard fail)?

I'm asking because we've been running ImprovMX for a few years now and the
decision we took was that if you send us an email with a SPF that is
failing ("-a"), we immediately refuse the email.

For me, the reason was pretty straight forward ; you set your SPF in a way
that you ask for it to fail, so it makes sense that we refuse it if ... it
fails.

But I just discovered that, among others, Google Workspace and Namecheap
breaks the SPF when they *forward* an email!

If you set up a forwarding for your email, say "supp...@domain.com" that
redirects to al...@destination.com and send an email from b...@example.com
to supp...@domain.com, the server @destination.com will see an email coming
from b...@example.com, but with the IPs of Google (or Namecheap).

Since b...@example.com hasn't put the Google (or Namecheap) IPs in their SPF
because they don't use it, their email will break SPF at @destination.com
domain.


Well, a mail server forwarding SPF-protected messages is supposed to use SRS;
I presume you have allowed for that ?

I don't assume that everyone uses SRS (for more than a decade I worried about
a theoretical slightly-open relay attack) so I have always used "~all" rather than "-all".
Anyone who forwards email and uses "-all" is implicitly leaving themselves open to this ... and they can avoid it by switching to "~all". 


So, since Google Workspace and Namecheap are doing this, it means that
others are certainly also doing this.

What would be the best behavior here? Should we rely on both the SPF AND
DKIM to refuse an email (compared to just the SPF), even if no DMARC are
set?
Should we allow all emails, even those who fail SPF?
Should we only block when DMARC is set and fails?

What is the best approach here?

I personally don't want to accept emails that fails SPF with no further
checks, otherwise it will be hell on the amount of emails we'll handle.
Many people use SPF failure (and DKIM, DMARC and ARC) to increase spam-score, rather than an all-out block. 

Do you have an actual measure of how much spam this is currently blocking ?
It *may* not be as bad as you think.

--
Andrew C. Aitchison                      Kendal, UK
                   and...@aitchison.me.uk
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to