Controversy around SPF: Difference between revisions
No edit summary |
No edit summary |
||
Line 3: | Line 3: | ||
When E-Mail was documented in 1982, E-Mail was meant to be decentralised. The uprise of [[ISP|ISPs]], such as Yahoo, Hotmail and Gmail, a few decades later, has defeated this purpose. | When E-Mail was documented in 1982, E-Mail was meant to be decentralised. The uprise of [[ISP|ISPs]], such as Yahoo, Hotmail and Gmail, a few decades later, has defeated this purpose. | ||
Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in [[SPF]]: Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via Gmail have all Gmail IPs included in their SPF. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass. | Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in [[SPF]]: Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via - for example - Gmail have all Gmail IPs included in their SPF record. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass. | ||
Because [[DMARC]] requires SPF ''or'' [[DKIM]] to pass, this discovery also implicates the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore as long as this issue hasn't been solved. | Because [[DMARC]] requires SPF ''or'' [[DKIM]] to pass, this discovery also implicates the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore as long as this issue hasn't been solved. |
Revision as of 14:28, 31 August 2023
When E-Mail was documented in 1982, E-Mail was meant to be decentralised. The uprise of ISPs, such as Yahoo, Hotmail and Gmail, a few decades later, has defeated this purpose.
Recently, In may 2023, the authors of RFC 8058 discovered severe flaws in SPF: Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via - for example - Gmail have all Gmail IPs included in their SPF record. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.
Because DMARC requires SPF or DKIM to pass, this discovery also implicates the security of the DMARC protocol. And because BIMI depends on DMARC, also BIMI can't be trusted anymore as long as this issue hasn't been solved.