IP spoofing forges, or "spoofs," the source address in the header of an IP packet to make it appear to have originated...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
from another machine -- the source address being the address from which a packet was sent. In order for spammers to use this technique, they would have to spoof the entire TCP sequence, which is highly unlikely and hasn't been seen in the wild.
If somebody could come up with such an attack, then yes, he or she would be able to pass through an SPF check, as long as the spoofed IP address matched that of a machine genuinely allowed to send mail for that domain and email address. Email spoofing, on the other hand, is extremely common, and SPF plays a role in preventing this source of spam. Email spoofing occurs when spammers alter the email header so the message appears to have originated from someone or somewhere else.
SPF provides a method whereby a mail server or mail transfer agent (MTA), when it receives an email, can confirm the sending server is authorized to send mail on behalf of that address. Domains publish Mail Exchange (MX) records in the Domain Name System (DNS), specifying which machines receive mail for the domain. SPF is basically a reverse MX record, specifying which machines are authorized to send mail from the domain. Published SPF records include attributes that uniquely describe an organization's email, including authorized senders and mail server IP addresses. Additional information on SPF can be found at Open SPF, which includes a comprehensive FAQ that reviews how to block large amounts of spam even before SPF checks occur.
To help reduce unwanted email, you should follow best practices, performing all spam-filtering tests and rejecting unwanted incoming emails while the sending server is still connected. If your server accepts an email and then decides it's spam, any reply to the sender's address indicating the message failed is likely to be to a valid but forged address. This is known as email backscatter and is a problem in itself.
SPF checks require DNS queries, which are somewhat computationally expensive. If you can't reject email at the SMTP connection, you should reduce the amount of backscatter by sending emails using schemes such as Bounce Address Tag Validation, a mechanism for assessing the validity of an email's envelope return or bounce address.
If email authentication becomes universal, then spammers will have a much tougher time getting their emails delivered. If you're interested in learning more about the various emerging methods of authenticating email, check out the Messaging Anti-Abuse Working Group white paper, Trust in Email Begins with Authentication, which was published last year.
Dig Deeper on Email Security Guidelines, Encryption and Appliances
Related Q&A from Michael Cobb
A privacy breach at ClixSense led to user account details being put up for sale. Expert Michael Cobb explains how companies should be held ...continue reading
A password-verification flaw in iOS 10 allowed attackers to decrypt local backups. Expert Michael Cobb explains how removing certain security checks ...continue reading
HTTP public key pinning, a security mechanism to prevent fraudulent certificates, was not used by Firefox, and left it open to attack. Expert Michael...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.