Controversy around SPF: Difference between revisions

From InboxSys document library
Jump to navigation Jump to search
← Older editNewer edit →
No edit summary
No edit summary
Line 5: Line 5:
Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in [[SPF]]: Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via - for example - Gmail have all Gmail IPs included in their SPF record. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.  
Recently, In may 2023, the authors of [https://www.ietf.org/rfc/rfc8058.txt RFC 8058] discovered severe flaws in [[SPF]]: Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via - for example - Gmail have all Gmail IPs included in their SPF record. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.  


Because [[DMARC]] requires SPF ''or'' [[DKIM]] to pass, this discovery also implicates the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore as long as this issue hasn't been solved.
Because [[DMARC]] requires SPF ''or'' [[DKIM]] to pass, this discovery also implicates the security of the DMARC protocol. And because [[BIMI]] depends on DMARC, also BIMI can't be trusted anymore on big ISPs plattforms as long as this issue hasn't been solved.

Revision as of 14:29, 31 August 2023

When E-Mail was documented in 1982, E-Mail was meant to be decentralised. The uprise of ISPs, such as Yahoo, Hotmail and Gmail, a few decades later, has defeated this purpose.

Recently, In may 2023, the authors of RFC 8058 discovered severe flaws in SPF: Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via - for example - Gmail have all Gmail IPs included in their SPF record. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.

Because DMARC requires SPF or DKIM to pass, this discovery also implicates the security of the DMARC protocol. And because BIMI depends on DMARC, also BIMI can't be trusted anymore on big ISPs plattforms as long as this issue hasn't been solved.

Retrieved from "https://docs.inboxsys.com/index.php?title=Controversy_around_SPF&oldid=158"