Home / server / Questions / 1022077
In Process
Rob Olmos
Asked: 2020-06-19 13:10:43 +0800 CST

Any benefit to adding SPF record for mail relay that doesn't align with RFC5322.From domain?

  • 772

When using a mail delivery service, like AWS SES or SendGrid, is there any benefit to including their SPF records for the domain in the RFC5322.From (header-from) header?

With how they operate by default, they use their own RFC5321.MailFrom (envelope-from), which is what SPF is supposed to check against according to the standards.

However, I'm wondering if there's still a benefit, like broken mail servers or mail servers that may check the RFC5322.From against SPF anyways for a spam check. Or just don't bother because it's never checked. Curious if anyone has any field experience about that.

For example, AWS SES uses a subdomain of amazonses.com in the RFC5321.MailFrom. This question assumes that has not been changed with a custom "MAIL FROM" setting.

email spf

1 Answers

  1. A typical implementation of SPF check is done right after the MAIL FROM (with the rejection possibly fired after the RCPT TO to keep more debug information in the logs). That's before there's any content (DATA), including the message headers. The RFC 7208, 2.2 describes how the checking should be done against RFC5321 MailFrom and HELO/EHLO. It also explicitly discourages checking any other identities (like RFC5322.From) against SPF records.

    Without explicit approval of the publishing ADMD, checking other identities against SPF version 1 records is NOT RECOMMENDED because there are cases that are known to give incorrect results. For example, almost all mailing lists rewrite the MAIL FROM identity (see Section 10.3), but some do not change any other identities in the message. Documents that define other identities will have to define the method for explicit approval.

    A DMARC policy (RFC 7489) provides such an "explicit approval" that further tells the receiver how the domain owner wants messages with both unaligned SPF and unaligned DKIM (RFC 6376) signature to be handled. It's DMARC that protects the RFC5322.From, whereas SPF and DKIM per se don't recognize such alignment at all. If some SPAM protection system punished unaligned messages without this explicit approval, it's a problem on their side and should not be tried and solved with non-standard SPF records as you suggest.

    The challenge described in the citation remains with DMARC, because if a message was forwarded...

    • with the original MAIL FROM, it wouldn't survive the SPF check.
    • with a rewritten MAIL FROM, it wouldn't survive the DMARC alignment.

    For this reason it's recommended to use DKIM with DMARC as it better survives forwarding. Also, someone willing to publish a p=reject (or even p=quarantine) should first make some effort to configure all the possible legitimate senders aligned either with DKIM or SPF – recommendably with both.

    E.g. with Amazon SES this means setting up a custom MAIL FROM domain: adding a subdomain with their MX and SPF records. This also requires a relaxed DMARC policy that allows alignment if the organizational domain matches, as defined in the RFC 7489 3.1.

    • 1