0

SPF records whitelist legitimate mailservers in the DNS record. Incoming mail servers reject mails whose outgoing mailserver is not on the whitelist. But what is preventing a spoofer from creating a mail and relaying it that he claims came from a whitelisted server? The server being handed that mail would look at the forged entry of the mail and it would match up with the whitelist.

Improve this question

1 Answer 1

Reset to default
1

SPF is only concerned with the (apparent) sender address and the currently connected SMTP client.

RFC 7208 says about a imaginary function check_host that verifies SPF:

The check_host() function takes these arguments:

   <ip>     - the IP address of the SMTP client that is emitting
              the mail, either IPv4 or IPv6.

   <domain> - the domain that provides the sought-after authorization
              information; initially, the domain portion of the
              "MAIL FROM" or "HELO" identity.

   <sender> - the "MAIL FROM" or "HELO" identity.

Only the “last” relaying MTA has to be authorized in the SPF rules. Everything else doesn’t count.

Improve this answer
1
  • 1
    As a result: if relays use the original 'MAIL FROM' when relaying, they fail the check even if they're legitimate; if relays use their own domain in 'MAIL FROM', they pass the SPF check with no problem, but fail DMARC alignment checks instead...
    – grawity_u1686
    Commented Oct 23, 2019 at 11:03

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .