Controversy around SPF: Difference between revisions

From InboxSys document library
Jump to navigation Jump to search
Newer edit →
Created page with "Category:Deliverability Category:Authentication When E-Mail was documented in 1982, E-Mail was meant to be decentralised. The uprise of ISP ISPs, such as Yahoo, Hotmail and Gmail, a few decades later, has defeated this purpose. Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in SPF. Big ISP ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending..."
 
No edit summary
Line 1: Line 1:
[[Category:Deliverability]]
[[Category:Deliverability]]
[[Category:Authentication]]
[[Category:Authentication]]
When E-Mail was documented in 1982, E-Mail was meant to be decentralised. The uprise of [[ISP ISPs]], such as Yahoo, Hotmail and Gmail, a few decades later, has defeated this purpose.
When E-Mail was documented in 1982, E-Mail was meant to be decentralised. The uprise of [[ISP|ISPs]], such as Yahoo, Hotmail and Gmail, a few decades later, has defeated this purpose.


Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in SPF. Big [[ISP ISPs]] tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via Gmail have all Gmail IPs included in their SPF. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.  
Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in [[SPF]]. Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via Gmail have all Gmail IPs included in their SPF. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.  


Because DMARC requires SPF '''or''' DKIM to pass, this discovery also implicates the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore as long as this issue hasn't been solved.
Because [[DMARC]] requires SPF '''or''' [[DKIM]] to pass, this discovery also implicates the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore as long as this issue hasn't been solved.

Revision as of 14:24, 31 August 2023

When E-Mail was documented in 1982, E-Mail was meant to be decentralised. The uprise of ISPs, such as Yahoo, Hotmail and Gmail, a few decades later, has defeated this purpose.

Recently, In may 2023, the authors of RFC 8058 discovered severe flaws in SPF. Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via Gmail have all Gmail IPs included in their SPF. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.

Because DMARC requires SPF or DKIM to pass, this discovery also implicates the security of the DMARC protocol. And because BIMI depends on DMARC, also BIMI can't be trusted anymore as long as this issue hasn't been solved.

Retrieved from "https://docs.inboxsys.com/index.php?title=Controversy_around_SPF&oldid=153"