Controversy around SPF - Revision history

Sebastian at 19:41, 21 September 2023

2023-09-21T19:41:02Z

← Older revision		Revision as of 21:41, 21 September 2023
Line 3:		Line 3:
	When E-Mail was documented in 1982, E-Mail was meant to be decentralised. The uprise of [[ISP\|ISPs]], such as Yahoo, Hotmail and Gmail, a few decades later, has defeated this purpose.		When E-Mail was documented in 1982, E-Mail was meant to be decentralised. The uprise of [[ISP\|ISPs]], such as Yahoo, Hotmail and Gmail, a few decades later, has defeated this purpose.

	Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record to their own domain. This way, all domains sending via - for example - Gmail have all Gmail IPs included in their SPF record. Impersonating a Gmail customer's domain on a Gmail SMTP connection would principally result in SPF pass. Most ISPs - also Gmail - have security measures in place to prevent their users from sending with any domain the are not authorised to send with, but security researchers have recently been able to circumvent those measures.		Big ISPs tend to store all their IPs in a single [[SPF]] record. Customers who use their own domain for sending are instructed to add an include to this SPF record to their own domain. This way, all domains sending via - for example - Gmail have all Gmail IPs included in their SPF record. Impersonating a Gmail customer's domain on a Gmail SMTP connection would principally result in SPF pass. Most ISPs - also Gmail - have security measures in place to prevent their users from sending with any domain the are not authorised to send with, but security researchers have recently been able to circumvent those measures.

	Because [[DMARC]] requires SPF ''or'' [[DKIM]] alignment to pass, this discovery also compromises the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore on big ISPs plattforms as long as this issue hasn't been solved.		Because [[DMARC]] requires SPF ''or'' [[DKIM]] alignment to pass, this discovery also compromises the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore on big ISPs plattforms as long as this issue hasn't been solved.

Sebastian at 15:51, 21 September 2023

2023-09-21T15:51:36Z

← Older revision		Revision as of 17:51, 21 September 2023
Line 9:		Line 9:
	=Mailchannels=		=Mailchannels=

	One extreme example of an [[ESP]] that doesn't limit users to sending with their own domains is [https://support.mailchannels.com/hc/en-us/articles/16918954360845-Secure-your-domain-name-against-spoofing-with-Domain-Lockdown- Mailchannels]. Mailchannels is one of the larger senders. Yet - as of September 2023 - they facilitate impersonation of unauthenticated domains as if it were a feature and, according to their CEO, they have no intention to stop doing so. After [https://youtu.be/NwnT15q_PS8 the company was exposed on DEFCON 31 (2023)], Mailchannels developed a feature named "[https://support.mailchannels.com/hc/en-us/articles/16918954360845-Secure-your-domain-name-against-spoofing-with-Domain-Lockdown- Domain Lockdown]". Mailchannels customers now actively have to set an additional [[DNS]] TXT record in order to limit abuse of their own domain.		One extreme example of an [[ESP]] that doesn't limit users to sending with their own domains is [https://support.mailchannels.com/hc/en-us/articles/16918954360845-Secure-your-domain-name-against-spoofing-with-Domain-Lockdown- Mailchannels]. Mailchannels is one of the larger senders. Yet - as of September 2023 - they facilitate impersonation of unauthenticated domains as if it were a feature and, according to their CEO, they have no intention to stop doing so. After [https://youtu.be/NwnT15q_PS8 the company was exposed on DEFCON 31 (2023)] by Marcello Salvati, Mailchannels developed a feature named "[https://support.mailchannels.com/hc/en-us/articles/16918954360845-Secure-your-domain-name-against-spoofing-with-Domain-Lockdown- Domain Lockdown]". Mailchannels customers now actively have to set an additional [[DNS]] TXT record in order to limit abuse of their own domain.

	Mailchannels customers are usually instructed to set an SPF include that includes all Mailchannels IPs. Combined with the allowance of domain spoofing, this renders all SPF-verifications in mail from those IPs useless. This shows again how severely the weakness in SPF can compromise DMARC and BIMI.		Mailchannels customers are usually instructed to set an SPF include that includes all Mailchannels IPs. Combined with the allowance of domain spoofing, this renders all SPF-verifications in mail from those IPs useless. This shows again how severely the weakness in SPF can compromise DMARC and BIMI.

Sebastian at 14:52, 21 September 2023

2023-09-21T14:52:10Z

← Older revision		Revision as of 16:52, 21 September 2023
Line 21:		Line 21:
	=Conclusion=		=Conclusion=

	As long as this situation remains as it is, DKIM is the authentication method that's least compromised~~. ARC headers should explicitly be entirely ignored~~.		As long as this situation remains as it is, DKIM - locally processed - is the authentication method that's least compromised.

	=Useful links=		=Useful links=

Sebastian at 14:49, 21 September 2023

2023-09-21T14:49:22Z

@@ Line 3: / Line 3: @@
 When E-Mail was documented in 1982, E-Mail was meant to be decentralised. The uprise of [[ISP|ISPs]], such as Yahoo, Hotmail and Gmail, a few decades later, has defeated this purpose.
-Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in [[SPF]]: Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via - for example - Gmail have all Gmail IPs included in their SPF record. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.
+Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record to their own domain. This way, all domains sending via - for example - Gmail have all Gmail IPs included in their SPF record. Impersonating a Gmail customer's domain on a Gmail SMTP connection would principally result in SPF pass. Most ISPs - also Gmail - have security measures in place to prevent their users from sending with any domain the are not authorised to send with, but security researchers have recently been able to circumvent those measures.
 Because [[DMARC]] requires SPF ''or'' [[DKIM]] alignment to pass, this discovery also compromises the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore on big ISPs plattforms as long as this issue hasn't been solved.

Sebastian at 18:03, 2 September 2023

2023-09-02T18:03:09Z

← Older revision		Revision as of 20:03, 2 September 2023
Line 5:		Line 5:
	Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in [[SPF]]: Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via - for example - Gmail have all Gmail IPs included in their SPF record. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.		Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in [[SPF]]: Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via - for example - Gmail have all Gmail IPs included in their SPF record. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.

	Because [[DMARC]] requires SPF ''or'' [[DKIM]] alignment to pass, this discovery also ~~implicates~~ the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore on big ISPs plattforms as long as this issue hasn't been solved.		Because [[DMARC]] requires SPF ''or'' [[DKIM]] alignment to pass, this discovery also compromises the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore on big ISPs plattforms as long as this issue hasn't been solved.

Sebastian at 16:30, 31 August 2023

2023-08-31T16:30:07Z

← Older revision		Revision as of 18:30, 31 August 2023
Line 5:		Line 5:
	Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in [[SPF]]: Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via - for example - Gmail have all Gmail IPs included in their SPF record. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.		Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in [[SPF]]: Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via - for example - Gmail have all Gmail IPs included in their SPF record. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.

	Because [[DMARC]] requires SPF ''or'' [[DKIM]] to pass, this discovery also implicates the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore on big ISPs plattforms as long as this issue hasn't been solved.		Because [[DMARC]] requires SPF ''or'' [[DKIM]] alignment to pass, this discovery also implicates the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore on big ISPs plattforms as long as this issue hasn't been solved.

Sebastian at 13:29, 31 August 2023

2023-08-31T13:29:09Z

← Older revision		Revision as of 15:29, 31 August 2023
Line 5:		Line 5:
	Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in [[SPF]]: Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via - for example - Gmail have all Gmail IPs included in their SPF record. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.		Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in [[SPF]]: Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via - for example - Gmail have all Gmail IPs included in their SPF record. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.

	Because [[DMARC]] requires SPF ''or'' [[DKIM]] to pass, this discovery also implicates the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore as long as this issue hasn't been solved.		Because [[DMARC]] requires SPF ''or'' [[DKIM]] to pass, this discovery also implicates the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore on big ISPs plattforms as long as this issue hasn't been solved.

Sebastian at 13:28, 31 August 2023

2023-08-31T13:28:34Z

← Older revision		Revision as of 15:28, 31 August 2023
Line 3:		Line 3:
	When E-Mail was documented in 1982, E-Mail was meant to be decentralised. The uprise of [[ISP\|ISPs]], such as Yahoo, Hotmail and Gmail, a few decades later, has defeated this purpose.		When E-Mail was documented in 1982, E-Mail was meant to be decentralised. The uprise of [[ISP\|ISPs]], such as Yahoo, Hotmail and Gmail, a few decades later, has defeated this purpose.

	Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in [[SPF]]: Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via Gmail have all Gmail IPs included in their SPF. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.		Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in [[SPF]]: Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via - for example - Gmail have all Gmail IPs included in their SPF record. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.

	Because [[DMARC]] requires SPF ''or'' [[DKIM]] to pass, this discovery also implicates the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore as long as this issue hasn't been solved.		Because [[DMARC]] requires SPF ''or'' [[DKIM]] to pass, this discovery also implicates the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore as long as this issue hasn't been solved.

Sebastian at 13:28, 31 August 2023

2023-08-31T13:28:05Z

← Older revision		Revision as of 15:28, 31 August 2023
Line 3:		Line 3:
	When E-Mail was documented in 1982, E-Mail was meant to be decentralised. The uprise of [[ISP\|ISPs]], such as Yahoo, Hotmail and Gmail, a few decades later, has defeated this purpose.		When E-Mail was documented in 1982, E-Mail was meant to be decentralised. The uprise of [[ISP\|ISPs]], such as Yahoo, Hotmail and Gmail, a few decades later, has defeated this purpose.

	Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in [[SPF]]. Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via Gmail have all Gmail IPs included in their SPF. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.		Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in [[SPF]]: Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via Gmail have all Gmail IPs included in their SPF. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.

	Because [[DMARC]] requires SPF ''or'' [[DKIM]] to pass, this discovery also implicates the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore as long as this issue hasn't been solved.		Because [[DMARC]] requires SPF ''or'' [[DKIM]] to pass, this discovery also implicates the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore as long as this issue hasn't been solved.

Sebastian at 13:24, 31 August 2023

2023-08-31T13:24:28Z

← Older revision		Revision as of 15:24, 31 August 2023
Line 5:		Line 5:
	Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in [[SPF]]. Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via Gmail have all Gmail IPs included in their SPF. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.		Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in [[SPF]]. Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via Gmail have all Gmail IPs included in their SPF. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.

	Because [[DMARC]] requires SPF '''or''' [[DKIM]] to pass, this discovery also implicates the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore as long as this issue hasn't been solved.		Because [[DMARC]] requires SPF ''or'' [[DKIM]] to pass, this discovery also implicates the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore as long as this issue hasn't been solved.