== SPF is not a security feature, as it solves the wrong problem

SPF is one of my hot button issues, or rather how all too often
[[influential people seem to think that SPF is a good idea
https://twitter.com/SwiftOnSecurity/status/718899706500227072]].
A lot of the time these people seem to think that a hard-fail SPF
policy is a security feature, something that will prevent forgery
of email as being from their company or organization. These people
are wrong, at least in any practical sense.

The problem with SPF as a security feature is that it protects the
wrong thing. To the extent that it does anything, SPF protects the
(SMTP) envelope sender, ie the _MAIL FROM_ domain, and ~~the envelope
sender is effectively invisible to people reading their email~~.
I am an email expert and even I do not configure my mail client to
display the envelope sender; like everyone else, I see the _From:_
header. Ordinary people generally don't even know that a separate
envelope sender address even exists.

What this means is that an attacker who wants to forge email from
your domain is not at all deterred by your hard-fail SPF policy.
They just put something else in the envelope sender, put your domain
in the _From:_, and mail away. It's extremely unlikely that anyone
will notice anything or that any automated systems will lower the
reputation score of these forged email messages (at least for that
reason). And I'm being extremely generous here, since I'm assuming
that people even see or look at the domain of the _From:_ address,
as opposed to simply seeing some user-friendly version of it that
may be based on, eg, the name in the _From:_ instead of the domain.

(For example, GMail will show you the domain of the _From:_ but it
seems to de-emphasize it, using smaller type in a lighter shade
compared to the person's display name. If people aren't already
suspicious, how likely are they to notice a mismatch in such a
thing?)

If you want a security feature that tries to block people forging
your domain in a meaningful sense, [[you want DMARC UnderstandingDMARC]].
DMARC specifically exists to protect the _From:_ domain and in the
process the integrity of your legitimate email, so that it can't
be either forged or altered. SPF has nothing to do with this.  Of
course [[even preventing forged _From:_ domains is not a great
protection WhySignedEmailWontStopPhishing]], but at least DMARC
does something useful with only moderate collateral damage, [[unlike
hard-fail SPF https://twitter.com/thatcks/status/718902594136117249]].

(SPF does not really solve any problem, especially these days. The
one problem it might solve it doesn't because lots of {{AB:MTA:Mail
Transfer Agent}}s sensibly ignore it. See [[the sidebar here
RemailingDownsides]] and of course [[SPF also has major downsides
AnInternetRule]].)