I'm trying to figure out why forged email is being delivered to major email providers (gmail.com, outlook.com) even though email is marked with an SPF hardfail
. The email is also delivered to Microsoft Exchange, which is throwing a PermError
for the same SPF record.
I am sending email using the SOME_DOMAIN.com domain, which defines a broken SPF record. The email is transmitted from my own IP address which is not explicitly listed in SOME_DOMAIN.com's SPF record. The SPF record for SOME_DOMAIN.com has the following three properties, the first two are a violation of the SPF RFC-4408:
- Requires more than 10 DNS queries to resolve the entire SPF record, due to
include:
. - Syntax error in one of the SPF records, python-spf throws a parse error.
- The SPF record contains both the rules
~all
and-all
, both saying that the set of all addresses shouldsoftfail
andhardfail
Email sent to an outlook.com address impersonating admin@SOME_DOMAIN.com will contain the following error in the SMTP header of the delivered email. This email was delivered normally to the user's inbox:
Received-SPF: PermError (: domain of SOME_DOMAIN.com used an invalid SPF mechanism)
Gmail will also deliver the email to the user's inbox, but will throw a different SPF error:
spf=hardfail (google.com: domain of admin@SOME_DOMAIN.COM does not designate x.x.x.x as permitted sender) smtp.mail=admin@SOME_DOMAIN.COM
So what is going on here? Why is email being delivered despite an SPF hardfail
? Does having a broken SPF record mean that other SMTP servers disregard the SPF entirely? Or is there something I'm missing here…
Best Answer
SPF is so badly configured by so many sites that receiving MTAs often count
hardfail
as advisory only, and merely factor it into their spam detection scores. In the end it's up to the MTA's administrator as to how SPF failures will be treated.