worldcubeassociation.org icon indicating copy to clipboard operation
worldcubeassociation.org copied to clipboard
verified publisher icon thewca

SPF policy could be enforced

Open d4rklynk opened this issue 2 years ago • 8 comments

SPF policy is currently set to ~all but should be enforced to -all

It will reject (thus, not delivering) mail that aren't sent from the right server.

Sources : Simple explanation : https://www.cloudflare.com/learning/dns/dns-records/dns-spf-record/ Advanced explanation : http://www.open-spf.org/SPF_Record_Syntax/

d4rklynk avatar Mar 23 '23 16:03 d4rklynk

Thanks a lot for all of the these issues! It'll take someone more experienced than me to parse and implement them, but great to have all of this raised.

dunkOnIT avatar Mar 23 '23 17:03 dunkOnIT

No problem, my pleasure !

d4rklynk avatar Mar 23 '23 17:03 d4rklynk

See -> Setup SPF

You will read the difference between ~all and -all.

d4rklynk avatar Mar 30 '23 14:03 d4rklynk

I found another article that explicitly recommends ~all over -all: https://www.uriports.com/blog/spf-dkim-dmarc-best-practices/#fn3

What is your opinion?

gregorbg avatar Jul 20 '23 16:07 gregorbg

It will be blocked if the server set in SPF is not the right one. So technically, there won't be any problem if you use the right server (the one of WCA), which btw will always be the case.

d4rklynk avatar Jul 20 '23 18:07 d4rklynk

But right now, what matters most is to implement a good DMARC policy. Only SPF does something atm since DMARC is disabled.

d4rklynk avatar Jul 20 '23 18:07 d4rklynk

The workflow is like so if SPF is in fail mode (meaning -all):

  • the email will go through SPF check. It fails, thus, it will not even be tested by DMARC check. (you don't receive email for dmarc failed, because it hasn't gone through)

Anf if SPF is in softfail mode (meaning ~all):

  • the mail will go through SPF check, SPF will flag it (since it fails the SPF check) and the email will go through DMARC check. DMARC will see it fails SPF check so it will not be delivered (if dmarc policy is set to sp=reject) or it will send it to user mailbox (in spam folder if it's set to p=quarantine or in main mailbox if set to sp=none)

What it means is that if an email fails in the first place, if you have strong dmarc policy (p=reject, adkim={r,s} and aspf={r,s}), the email will not be delivered anyway. The only thing that actually changed is the dmarc report you receive in your [email protected] mailbox.

I don't know if I'm clear tbh, but at the end, the difference is subtle, and the security behind will almost be the same whether you set spf to ~all or -all.

So, why set -all instead of ~all ? Like the email will not be delivered anyway with strong DMARC policy whether it's in fail mode or softfail mode; it is useless to let an email go through a DMARC check.

d4rklynk avatar Nov 30 '23 17:11 d4rklynk

The thing here is simple: you can either chose -all or ~all. At the end, you need to trust receivers MTA to read the record and apply them, because they could not.

Like I said, the difference behind these two is subtle (even inexistent).

At least, with this issue, you will know why you chosed one over the other.

d4rklynk avatar Dec 04 '23 12:12 d4rklynk