On 09.02.2024 at 18:22 schrieb Scott Mutter via mailop wrote: On Fri, Feb 9, 2024 at 9:56 AM Gellner, Oliver via mailop <mailop@mailop.org<mailto:mailop@mailop.org>> wrote: While I'm no advocate on external email forwarding, SPF does not perform a good job on identifying emails regardless of forwarding. Most companies send emails from shared IP addresses (Office 365, GSuite, Sendgrid, Amazon SES, ...), so their SPF records are all, well... identical, which is not really useful to tell them apart. This opens a window for various attacks, see for example the recent SMTP smuggling attack. A better approach would be to get rid of SPF and base DMARC solely on DKIM.
Well, this is why I distinguish a properly set SPF record. A sender has to know EXACTLY what IPs are going to be sending out legitimate emails from their domain name. Not a "maybe these IPs" or "sometimes this IP and sometimes this other IP" it has to be an EXACT list. And if the sender doesn't know what the EXACT list is... then what else are they forgetting? But external forwarders is always going to break this. PayPal can list EXACTLY all of the IPs that they will send out messages from. Yes, but this requires that every sender has their own distinct IP addresses. However eg the over one million companies which use Office365 send their email from the same servers and IP addresses. So even if they all had strict SPF entries for their domains, this wouldn’t help to tell them apart. (For this reason the BIMI logo display within Gmail for example relies only on DKIM when performing its DMARC verification, because SPF is too easy to forge.) The same applies to messages sent via Gsuite, Amazon SES and almost all other email service providers, including all shared hosting platforms on the planet. There are only a few SaaS providers like Cisco that provide unique sending IP addresses for each customer. That’s why SPF should be retired in my opinion - it was invented in and for a different era when most senders were running their own MTA. — BR Oliver ________________________________ dmTECH GmbH Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe Telefon 0721 5592-2500 Telefax 0721 5592-2777 dmt...@dm.de<mailto:dmt...@dm.de> * www.dmTECH.de<http://www.dmtech.de> GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927 Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher ________________________________ Datenschutzrechtliche Informationen Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie die Kontaktdaten unserer Datenschutzbeauftragten finden Sie hier<https://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832>.
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
