On Fri, Feb 9, 2024 at 9:56 AM Gellner, Oliver via mailop <mailop@mailop.org> wrote:
> Whether an email passes SPF or DKIM is no indicator of whether its spam. > It just allows you to tie messages to the reputation of a domain, similar > as you rate messages based on the IP address they are coming from. > While I'm no advocate on external email forwarding, SPF does not perform a > good job on identifying emails regardless of forwarding. Most companies > send emails from shared IP addresses (Office 365, GSuite, Sendgrid, Amazon > SES, ...), so their SPF records are all, well... identical, which is not > really useful to tell them apart. This opens a window for various attacks, > see for example the recent SMTP smuggling attack. A better approach would > be to get rid of SPF and base DMARC solely on DKIM. > Well, this is why I distinguish a properly set SPF record. A sender has to know EXACTLY what IPs are going to be sending out legitimate emails from their domain name. Not a "maybe these IPs" or "sometimes this IP and sometimes this other IP" it has to be an EXACT list. And if the sender doesn't know what the EXACT list is... then what else are they forgetting? But external forwarders is always going to break this. PayPal can list EXACTLY all of the IPs that they will send out messages from. And if you're not using an external email forwarders to receive your email, then you can be sure that any email coming from the paypal.com domain name that is being sent from an IP published in that SPF list, actually came from PayPal (now whether or not if the PayPal servers have been hacked or compromised is another story - insert whatever domain/organization you want in place of PayPal, the lesser the organization the more likely that security is not a paramount concern). But the second you forward mail from PayPal to an external email address, the precise SPF record is rendered useless. This is why organizations never bothered to set EXACT SPF records, because what was the point? External forwarders were too prevalent to make it worthwhile. This is why we can't have nice things.
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
