An SPF record is a DNS record that essentially states which IPs/domains are allowed to send email on behalf of the domain.
When using a third-party email service, the service often recommends using a "catch-all" SPF record for all of their servers. Here's what Sendgrid recommends:
v=spf1 include:sendgrid.net ~all
The domain that this record is associated with (e.g. example.com) will "allow" all email from all of sendgrid.net's domains.
It seems to me that an attacker could simply register for a Sendgrid account and send emails on behalf of example.com that would "pass" the SPF check.
Is this true?
I know that SPF isn't designed to verify message authenticity. It just seems a bit odd that in the right situation, such a widely-lauded technology has such an easily-exploited weakness. And yes, I do realize that requesting a private IP from the third-party email service would alleviate this concern.
The DNS record that you mention says:
It's not what RFCs say, but that's the practical meaning.
That's the architecture of SPF. Calling it a flaw is nonconstructive although understandable. It's true that under DMARC umbrella, the SPF is intended as solely a fallback mechanism in case DKIM fails (DKIM tends to be statistically somewhat error-prone). The fact that bulk-mail services offer SPF as a primary mechanism, often don't mention DKIM at all, and as often completely fail to authorize the
From:header speaks about their cluelessness in their core business.In face of this, I always recommend to go with
From: [email protected]which somewhat mitigates the impact of impersonating as a CEO, CFO, HR, etc. Nevertheless whoever wants me to set that domain record, I always ask them to accept the risk ofFrom: [email protected]. (I insert the real name of their CEO. They usually accept this. Duh.)