Spoofing emails even when SPF is used

SPF (Sender Policy Framework) is designed to prevent email forgery. However, spammers have figured out how to spoof even when SPF is used. This article talks about how is this done and what measures you can take to block such messages.

How Is It Done

SPF checks the MAIL FROM value in the SMTP envelope, not the FROM header in the message. Therefore, by using a domain that does not publish SPF record in the MAIL FROM they can easily bypass SPF check.

Consider an example below, which has two parts: SMTP Envelope and Email Header
SMTP Envelope
Assume the message comes from and no SPF or DMARC record exists for spammermarketing.net.
C --> EHLO host.spammermarketing.net
S <-- 250-host.spammermarketing.net. Please to meet you
S <-- 250 OK
C --> MAIL FROM:<spammer@spammermarketing.net>
S <-- 250 OK
C --> RCPT TO:<victim@yourcompany.com>
Notice the envelope suggests the sender belongs to spammermarketing.net, which does not have an SPF record.
Email Header
The email header for the message is displayed below.
From: Mr. CEO "ceo@yourcompany.com" <spammer@spammermarketing.net>
To: <victim@yourcompany.com>
Subject: Hi,my name is Evie
Notice there are two email addresses in the From header. Most email clients will only display the first address, giving an impression the message came from their CEO.

What Happened

Since the MAIL FROM value in the envelope used a domain that did not have an SPF record, the receiving server simply ignore checking for SPF. Additionally, DMARC was also skipped because SPF was missing.

Final result: the receiving server does not block the email. Message goes all the way to the recipients Inbox giving an impression it came from their CEO.

How To Block Such Emails In Xeams

Xeams comes with 2 custom filters that can assign scores to such messages:

  • Tricky Sender - Among other tricks, this looks for multiple email addresses in the FROM header
  • Inconsistent Sender - This looks for different values in the envelope MAIL FROM and header FROM.
Consider increasing the scores for these filters if you think messages using this trick are getting through.