All geek questions in one place

Are sites without SPF wildcard entries vulnerable to subdomain attacks?

I thought that if SPF records are not recursive, domain names might be vulnerable to spoofing email from subdomains. My research shows this :

Question about the demon: what about subdomains?

If I receive mail from pielovers.demon.co.uk and there is no SPF data for pielovers, should I go back one level and check the SPF on demon.co.uk? Not. Each subdomain in Demon is a different client, and each client can have its own policy. This would not make sense for the Demon policy to use all of its clients by default; if the daemon wants to do this, it can configure SPF records for each subdomain.

Therefore, the advice for SPF publishers is this: you should add an SPF record for each subdomain or host name that has an A or MX record.

Sites with A or MX wildcard entries must also have an SPF wildcard entry of the form: * IN TXT "v = spf1 -all"

(Thanks to Stuart Cheshire.)

(my emphasis)

Q1: Why do not you need to add an SPF record if the subdomain does not have an A / MX record?

As an example, I researched support.google.com :

dig google.com txt :

 google.com. 3599 IN TXT "v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"

dig support.google.com txt :

 support.google.com. 21599 IN CNAME www3.l.google.com.

dig www3.l.google.com txt :

 www3.l.google.com. IN TXT

So ... there is no SPF entry for support.google.com .

Q2: You do not have Google (and many other sites)?

Q3 (bonus): If this is a problem, and I'm not just stupid, why is this not documented?

The only related SE question I can find is this , but it doesn't say much more than the openspf.org FAQ above.

+5
source share
1 answer

This is actually not a very important tip in 2015, as the email landscape has changed significantly since this post was made.

In practice, SPF is an authentication protocol, not a policy enforcement mechanism. I mean, a particular message may transmit, fail, or fail to verify SPF based on EHLO name or Return Path domain. But how should the receiver handle any SPF result to the receiver.

An email enforcement mechanism is a DMARC that defines how a message that does not transmit SPF or DKIM authentication should be processed by the recipient. Should he be completely rejected? Quarantine (usually means spam folder)? Or is it considered "normal"?

DMARC, unlike SPF, has subdomain inheritance. Thus, if a specific DMARC policy is not defined in a subdomain, the policy defined in the organization’s domain is used. Therefore, in the specific case you are referring to, the policy will reckon with _dmarc.google.com . What is:

 v=DMARC1; p=quarantine; rua=mailto: mailauth-reports@google.com

So, your hypothetical email sent to support.google.com will be considered spam, even without the explicit SPF policy defined on support.google.com

So, if you want to provide subdomain spoofing for the domain you are managing, add a DMARC policy.

+6
source

Source: https://habr.com/ru/post/1212585/

More articles:


All Articles