Using Sender Policy Framework (SPF)
Sender Policy Framework (SPF) is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain’s administrators.
I recently encountered client email addresses being spoofed on my server. Upon investigation and inquiring my host admin we determined that a slight modification in a single TXT record in our DNS would eliminate the threat. Here’s the scoop.
I was contacted by the client because they got an email from an address at their domain but the user they did not recognize. For example email@example.com is my client email user and domain. This is the email address they use. Their domain name is clientdomain.com and the legitimate user is email so the legit email address is firstname.lastname@example.org. The spoofed email was an address at clientdomain.com but was not a legit user for that domain. For example email@example.com is a spoofed email user at a legit domain. The email user spoof doesn’t even exist!
So when I was able to confirm that this was indeed an email user being spoofed at my clients domain I had to investigate to ensure it wasn’t happening elsewhere. It very easily could be without even knowing…
I ran a few tests and learned my IP address was on the SORBS-SPAM blacklist. Thankfully of the hundreds of blacklists this was the only one that was flagged. We’ve requested an IP removal and there won’t be any issue with our IP being released. Another test revealed that our SPF records were syntactically correct however they were not preventing any IP address from spoofing an email user. So yeah, we had to do a DNS update to all our domains (we meaning me).
So the conclusion is that our old SPF records tested: neutral access neither permitted nor denied – meaning that an email address could indeed be spoofed using an IP address other than our own for clientdomain.com
To correct this we adjusted our SPF records and tested: softfail domain owner discourages use of this host – meaning that the server essentially denies any IP address other than it’s own to send mail from clientdomain.com
The funny thing is that a lot of the domains I host were migrated from GoDaddy, Hostmonster, iPage and others. In doing these migrations from one account to another DNS records rarely change and typically inherit the existing settings. I noticed I had many TXT records in the DNS for Domain Keys and SPF… I’m just glad I caught it and figured it out.
Puzzle by Teodoro S Gruhl