3

Suppose I activate SPF in my environment. I am now strictly enforcing SPF records from sending domains. There are many execs in the company who like to forward news stories from CNN and such to their co-workers. When I send the article, CNN asks me for my email address and the email addres of the person I am sending it to. So I fill out joe@somehwere.com in the sender addres an bob@somewhere.com in the to address. Now my DNS records for somewhere.com only lists the two SMTP servers at my company (as it should). The email comes in from CNN's SMTP server and is blocked since its IP is not registered in my SPF record?

This is one 'drawback' I see to SPF. Is the practice of sending emails from web sites like this not a good idea from a security standpoint? Are there any other potential issues with strictly implementing SPF?

ChrisLoris
  • 151
  • 5

2 Answers2

4

To me, that's the primary benefit of SPF, not a drawback. What's happening is that you've prevented CNN (and spammers) from spoofing your email servers. That's a terrible practice that they're engaged in, and I'm sure they're doing it primarily to harvest email addresses for their own uses, marketing or otherwise. If your users are complaining that the links aren't getting through, I'd use it as an opportunity to teach them how to paste a URL into Outlook and send it properly.

Xander
  • 35,796
  • 27
  • 116
  • 144
2

SPF does not attempt to verify the domain in the From: address, only that in the MAIL FROM SMTP command (envelope). It's possible to implement a 'share this link' feature setting with a user-supplied From: header but a genuine envelope-MAIL FROM, without SPF complaining.

Unfortunately CNN are spoofing the MAIL FROM as well, which seems pretty daft - they should fix that.

(Sender ID does try to validate the From/Resent-From address, but that's a different game.)

Is the practice of sending emails from web sites like this not a good idea from a security standpoint?

Personally I don't think it's a good idea in general - pretending to be coming from another address is just confusing. It would be better IMO to send with From as a genuine (potentially noreply) address, with the submitted from-user listed in the Reply-To and a note at the top. ("bob@example.com thought you would be interested in this news story...")

bobince
  • 12,694
  • 1
  • 28
  • 42