SPF can have unintended consequences

Oh dear. The Law of Unintended Consequences is hard at work again…

When people post blog comments here, they also get emailed to the author of the original blog post. The email has the commenter’s address as the sender, even though it was actually sent by the blog software. However, this causes a problem if the author’s email is filtered using SPF!

To recap SPF: it allows a domain owner to say who can send on behalf
of the domain. The domain owner publishes a list of IP addresses or
address ranges in the DNS. A receiving email server can compare the sending IP
address against the SPF list for the sending domain. It’s a way of spotting sender forgeries, which are hallmarks of spam and phishing.

So what went wrong in this case? Naturally, the blog server doesn’t appear on the SPF list for the domain where the comment author lives. In other words, the blog software isn’t permitted to send on behalf of the comment author’s domain, so it looks to an SPF filter that the message is forged.

In a sense, it is forged, I suppose. But this sort of "legitimate forgery" is commonplace in applications. The ease of doing this with SMTP is one of the key reasons why spam is such a problem.

Applications now need to be much more cautious about doing this sort of stuff. What was acceptable a year or two ago just isn’t any more.

Post a comment

You must be logged in to post a comment. To comment, first join our community.