SPF is not a security feature, as it solves the wrong problem

April 10, 2016

SPF is one of my hot button issues, or rather how all too often influential people seem to think that SPF is a good idea. A lot of the time these people seem to think that a hard-fail SPF policy is a security feature, something that will prevent forgery of email as being from their company or organization. These people are wrong, at least in any practical sense.

The problem with SPF as a security feature is that it protects the wrong thing. To the extent that it does anything, SPF protects the (SMTP) envelope sender, ie the MAIL FROM domain, and the envelope sender is effectively invisible to people reading their email. I am an email expert and even I do not configure my mail client to display the envelope sender; like everyone else, I see the From: header. Ordinary people generally don't even know that a separate envelope sender address even exists.

What this means is that an attacker who wants to forge email from your domain is not at all deterred by your hard-fail SPF policy. They just put something else in the envelope sender, put your domain in the From:, and mail away. It's extremely unlikely that anyone will notice anything or that any automated systems will lower the reputation score of these forged email messages (at least for that reason). And I'm being extremely generous here, since I'm assuming that people even see or look at the domain of the From: address, as opposed to simply seeing some user-friendly version of it that may be based on, eg, the name in the From: instead of the domain.

(For example, GMail will show you the domain of the From: but it seems to de-emphasize it, using smaller type in a lighter shade compared to the person's display name. If people aren't already suspicious, how likely are they to notice a mismatch in such a thing?)

If you want a security feature that tries to block people forging your domain in a meaningful sense, you want DMARC. DMARC specifically exists to protect the From: domain and in the process the integrity of your legitimate email, so that it can't be either forged or altered. SPF has nothing to do with this. Of course even preventing forged From: domains is not a great protection, but at least DMARC does something useful with only moderate collateral damage, unlike hard-fail SPF.

(SPF does not really solve any problem, especially these days. The one problem it might solve it doesn't because lots of MTAs sensibly ignore it. See the sidebar here and of course SPF also has major downsides.)

Written on 10 April 2016.
« Why your Ubuntu server stalls a while on boot if networking has problems
Why I don't use HTTP Key Pinning and I'm not likely to any time soon »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Apr 10 03:08:31 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.