IP spoofing forges, or "spoofs," the source address in the header of an IP packet to make it appear to have originated from another machine -- the source address being the address from which a packet was sent. In order for spammers to use this technique, they would have to spoof the entire TCP sequence, which is highly unlikely and hasn't been seen in the wild.
If somebody could come up with such an attack, then yes, he or she would be able to pass through an SPF check, as long as the spoofed IP address matched that of a machine genuinely allowed to send mail for that domain and email address. Email spoofing, on the other hand, is extremely common, and SPF plays a role in preventing this source of spam. Email spoofing occurs when spammers alter the email header so the message appears to have originated from someone or somewhere else.
SPF provides a method whereby a mail server or mail transfer agent (MTA), when it receives an email, can confirm the sending server is authorized to send mail on behalf of that address. Domains publish Mail Exchange (MX) records in the Domain Name System (DNS), specifying which machines receive mail for the domain. SPF is basically a reverse MX record, specifying which machines are authorized to send mail from the domain. Published SPF records include attributes that uniquely describe an organization's email, including authorized senders and mail server IP addresses. Additional information on SPF can be found at Open SPF, which includes a comprehensive FAQ that reviews how to block large amounts of spam even before SPF checks occur.
To help reduce unwanted email, you should follow best practices, performing all spam-filtering tests and rejecting unwanted incoming emails while the sending server is still connected. If your server accepts an email and then decides it's spam, any reply to the sender's address indicating the message failed is likely to be to a valid but forged address. This is known as email backscatter and is a problem in itself.
SPF checks require DNS queries, which are somewhat computationally expensive. If you can't reject email at the SMTP connection, you should reduce the amount of backscatter by sending emails using schemes such as Bounce Address Tag Validation, a mechanism for assessing the validity of an email's envelope return or bounce address.
If email authentication becomes universal, then spammers will have a much tougher time getting their emails delivered. If you're interested in learning more about the various emerging methods of authenticating email, check out the Messaging Anti-Abuse Working Group white paper, Trust in Email Begins with Authentication, which was published last year.
Dig Deeper on Email Security Guidelines, Encryption and Appliances
Related Q&A from Michael Cobb
A new programming language called Wyvern is helping developers use multiple languages in one app securely. Application security expert Michael Cobb ...continue reading
Gartner predicts more than half of all mobile apps will use HTML5 by 2016, but what threats will this cause the enterprise? Expert Michael Cobb ...continue reading
Public key pinning aims to reduce the lack of trust associated with digital certificates and certificate authorities. Expert Michael Cobb explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.