Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Email Spoofing - SPF record
New on LowEndTalk? Please Register and read our Community Rules.

Email Spoofing - SPF record

nagugnagug Member
edited September 2020 in Help

All,
How does SPF work? If suppose, i have a domain like bmssend.com (benchmarkemail marketing) which is allowed in SPF. Will this allow IP listed to send email using your domain?

say following IP ranges are listed as allowed when i check with SPF-record.com are as follows
pv4:
207.8.96.0/23
ipv4:
38.95.104.0/23
ipv4:
38.126.54.0/24
ipv4:
216.4.238.0/24
ipv4:
12.174.236.0/24
ipv4:
12.206.206.0/24
ipv4:
12.110.193.0/25
ipv4:
38.107.205.0/25
ipv4:
142.44.134.32/27
ipv4:
148.62.44.77

does it mean all the IP in the ranges can send email? based on the list i assume more than 1000+ IPs.

if bmssend does not own all IP, any hacker who have the IP can send a spoof email and pass SPF checks?

Comments

  • nagug said: does it mean all the IP in the ranges can send email? based on the list i assume more than 1000+ IPs.

    if bmssend does not own all IP, any hacker who have the IP can send a spoof email and pass SPF checks?

    Yes to all these questions. However, I can't think of a reason why a email sending service provider would list an IP they do not own, so there is not much to worry about.

    Thanked by 1nagug
  • SPF shouldn't be the only protection you have anyways. You should have DKIM and DMARC enabled. SPF alone would already be susceptible to BGP hijacking.

    Thanked by 1nagug
  • SPF is one of those things that's a good idea on paper, but when put in to practice doesn't really follow through.

    There's still way too many people that are using email forwarders in their control panels, which invalidates the SPF record from the original sending side. Instead of everyone shunning forwarders like this a play is made to use SRS to account for all of this. So instead of actually solving the problem, people just want to create something else to appease the masses.

    Then from that - at least in my humble opinion - SPF only makes sense if you can use the -all modifier. An owner of a domain name should know exactly what IPs their messages are being sent out from. If you don't know what IPs messages from your domain name are being sent out from... then what good are you? But because that task is such a tall order for most people, the recommended modifier is ~all - which is like saying "Messages from this domain should probably come from the IPs listed in this SPF record... but there might be some that are sent from other IPs that we have listed... so even if a message comes from an unlisted IP that doesn't necessarily mean you should flag it" ... which leads to the question, what's the point of SPF then?

    Thanked by 1nagug
  • @Brend4n said:
    SPF shouldn't be the only protection you have anyways. You should have DKIM and DMARC enabled. SPF alone would already be susceptible to BGP hijacking.

    You forgot one thing: DNSSEC. If someone can spoof your nameservers, SPF/DKIM/DMARC is pretty much useless. So before doing anything else, I'd recommend starting with securing DNS.

    Thanked by 3nagug t0m zenki
  • @nagug said: does it mean all the IP in the ranges can send email? based on the list i assume more than 1000+ IPs.

    To begin with, there's little or no point in having such an SPF record. That's the problem already.

  • @Brend4n said:
    SPF shouldn't be the only protection you have anyways. You should have DKIM and DMARC enabled. SPF alone would already be susceptible to BGP hijacking.

    Wont I be able to use variations of mailsploit to bypass DMARC?

    @Jarry said:

    @Brend4n said:
    SPF shouldn't be the only protection you have anyways. You should have DKIM and DMARC enabled. SPF alone would already be susceptible to BGP hijacking.

    You forgot one thing: DNSSEC. If someone can spoof your nameservers, SPF/DKIM/DMARC is pretty much useless. So before doing anything else, I'd recommend starting with securing DNS.

    DNSSEC definitely is a good advise.

    My understanding is most mail filters should be able a flag spoof email. Ofcourse it becomes harder if somebody bypasses DMARC and SPF.

  • You can setup DMARC policy which rejects any emails which fail either SPF or DKIM. You can also have the reports sent to you so that you can review them.

    Here is the TXT record you will need for your _dmarc.YOURDOMAIN.COM host.

    v=DMARC1;p=reject;pct=100;rua=mailto:[email protected];ruf=mailto:[email protected];fo=1;sp=reject;

  • I like how DMARC was created to, in part, tell hosts what to do when a message fails SPF ... which is what SPF should have been doing from the start.

    We're really like a dog chasing it's tail in all of this and it basically all boils down to people not wanting to change their email habits. So instead of solving the email problems at the root we keep developing newer methods that MIGHT help this one particular subset of users and then another one that MIGHT help another subset of users.

    Thanked by 1jar
  • zenkizenki Member
    edited September 2020

    For the highest security of running a mailserver I have these:
    Secure IP Announcements with IRR & RPKI ROA
    DNSSEC, DMARC, SPF, DKIM + Locked the domain (clientransferprohibited, update, delete etc.) I guess this is the most secure you can get...

Sign In or Register to comment.