Hello, welcome to the Friday, October 18th, 2019 edition of the Santernut Storm Center's Stormcast.

My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

Today we've got a diary from Jan Koprava, our newest handler actually, and he's writing about some of the shortcomings of

SPF, the center policy framework that's often used to discriminate against spam and fishing attempts.

As an example, he's using a malicious email that he received that claimed to come from dhl.com.

DhL.com does use the SPF record, but there are sort of two problems with SPF.

First of all, it's not actually checking the from header in the email that's being displayed

to the user.

Instead, it's only verifying the from in the email envelope, which actually is typically not

displayed to the user.

Maybe you'll see it as part of a received header within the headers of the particular

email.

So pretty easy to make an email still look like it's coming from dhl.com to the user, while

SPF for the mail server when they checked SPF did think it came from a different domain.

Secondly, a lot of SPF records are actually not that well written. For example, you may see a

question mark all at the end. And this is actually what Jan saw here. The sender here was then

Shipping.com. And they're using this question mark

all in the end of the SPF record, which essentially means, well, I'm specifying which mail

servers may send email for my domain, but I'm not limiting it to these servers and everybody

else actually may send email as well.

So this is often done to sort of prevent false positives and prevent email from being dropped,

but really bad practice, it really sort of invalidates the idea of having an SPF record

...