SPF records whitelist legitimate mailservers in the DNS record. Incoming mail servers reject mails whose outgoing mailserver is not on the whitelist. But what is preventing a spoofer from creating a mail and relaying it that he claims came from a whitelisted server? The server being handed that mail would look at the forged entry of the mail and it would match up with the whitelist.
1 Answer
SPF is only concerned with the (apparent) sender address and the currently connected SMTP client.
RFC 7208 says about a imaginary function check_host
that verifies SPF:
The check_host() function takes these arguments:
<ip> - the IP address of the SMTP client that is emitting
the mail, either IPv4 or IPv6.
<domain> - the domain that provides the sought-after authorization
information; initially, the domain portion of the
"MAIL FROM" or "HELO" identity.
<sender> - the "MAIL FROM" or "HELO" identity.
Only the “last” relaying MTA has to be authorized in the SPF rules. Everything else doesn’t count.
-
1As a result: if relays use the original 'MAIL FROM' when relaying, they fail the check even if they're legitimate; if relays use their own domain in 'MAIL FROM', they pass the SPF check with no problem, but fail DMARC alignment checks instead... Commented Oct 23, 2019 at 11:03