Invalid SPF policy and e-mail spoofing issues

SPF policy issues are a common pattern we see in the incoming reports. For example, many reporters make one of those two observations:

  • That blogger.com has v=spf1 include:_spf.google.com ?all
  • That insert-google-domain-here has ~all instead of -all

The attack scenario they describe often involves using spoofed e-mail addresses to make phishing e-mails more legitimate. The problem is that phishing still works in general, and people type their credentials into various pages anyway. There are multiple studies about that, including our recent research, and the sad truth is that restrictive SPF policy will not cure phishing once and for all and we have to resort to user education and e.g. Password Alert instead. Additionally, using phishing in an attack scenario will make it more likely for your vulnerability report to be rejected; social engineering attacks very rarely meet the bar for the reward or credit.

One may ask why we're using SPF if we don't think that it can reliably prevent phishing; the answer is that we use it mostly for increasing the odds an email is rejected by spam and phishing filters, however we do not rely on it solely - it's not a security barrier, but is rather used as an abuse mitigation.

We understand the implications of Allow, and the difference between Fail (-all) vs. Soft Fail (~all), and that while we also have a sentiment for using a Hard Fail everywhere ("Block all the things!"), for technical reasons we can't and most likely won't do it as that might affect email delivery.

We believe our current SPF policies are appropriate and a reasonable balance between making it more likely for email services to detect this as a spoofed email, and allowing our users to receive emails. We have thought about this problem, and although we welcome additional feedback and discussions, reports about SPF settings will usually not qualify for a reward.

We hope you understand now why reports pointing out SPF configuration in our services will not qualify for a reward or credit under Google VRP.