I know that back in the days of POP3 and unencrypted email you could write anything in From: and one would have to cross-check with the other headers to see if the message at least went through the domain in the address.
I believe nowadays big servers like gmail are stricter in the email they accept (to the point of rejecting valid emails, which is super annoying, I know), but is there a standard in check that foo@bar.com comes from bar.com?
@kinnison@hisham_hm#SPF is the Sender Policy Framework, not "Sender Permitted From" and by design does nothing anything at all with the "From:" header. SPF only concerns the SMTP "MAIL FROM" line, which is not part of the actual email headers and thus is not and cannot be displayed by email clients. This is explicitly mentioned in the security considerations of the RFC: https://www.rfc-editor.org/rfc/rfc7208#section-11.2
@kinnison@hisham_hm#DKIM does help against spoofing headers such as "From:", and the mail body. It comes with the major caveat (amongst others) that once leaked, you have no way* to plausibly deny authorship of emails. IIRC this has happened with Hillary Clinton's mails on Wikileaks.
*you can regularly rotate your signing keys and publish the old keys, however there does not seem to be a standard way of doing this.
@kinnison@hisham_hm There's also #DMARC which instructs servers how to interpret the SPF and DKIM rules. The important part here is called "alignment", where the domain in the "From:" header must match that of the MAIL FROM line and the signer of the DKIM signature. Otherwise SPF/DKIM wouldn't protect against spoofers authenticating themselves. It's noteworthy that Microsoft does not refuse mails as instructed.
Add comment