Email beta - SPF security

Yesterday I got access to the email beta and it took just 1 day to receive an extortion email with the typical comment of “I am sending you an email from your own domain as proof that your computer has been compromised”.

I am trying to figure out how this person managed to send me an email with a “From” and “Message-ID” headers from my own domain. Technically I expected the SPF record to prevent things like this.

Currently the admin panel shows my DNS is OK, and the TXT spf record is there “v=spf1 ~all”

The one thing I do not fully understand is how the “Authentication-Results” should work. I have two, one from Cloudflare and one from my mail provider. Both of them claim “spf=pass” but “dmarc” fails only no the one mentioning the mx server.

Is this a problem with the beta mail service? or am I misunderstanding how the spf record should work?

lol totally compromised. The l33t hacker who contacted you is, of course, an idiot.

Your SPF record includes “-all” which is the equivalent of :woman_shrugging: so nothing will ever be blocked based on the SPF record alone. It might be considered by the receiving MTA as part of an overall scoring mechanism shmaybe.

Typical beg bounty nonsense. I’d ignore them unless I was really bored and then I’d troll them to waste as much of their time as I could (hmmm… maybe I should write a beg bounty troll bot).

What you are describing is more the behavior of ~all, -all should reject mail.

1 Like

Typo. OP’s SPF uses the latter.

small visual difference, big difference for mail delivery :wink:

SPF -all without DMARC or SPF ~all in combination with DMARC p=reject does reject mails.

With SPF ~all and no DMARC (or p=none), Cloudflare does accept the mail.

No surprises here …

1 Like

Thanks! Now I understand better the difference between the hard and soft reject. Somehow I expected the “~” to be enough, specially since it is the default suggest by Cloudflare.

I’ve just updated my dns records and found a nice online tool to test/send Spoofed emails.

Somehow I find extremely spooky that it just took 1 day to get my first spoofed email

SPF and DKIM don’t solve spoofing, they’re just crappy patches on top of a fundamentally insecure system.


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.