G Suite + SPF, why bother?
SPF (Sender Policy Framework) serves a basic function: it tells MTAs who can send an email on my behalf.
Its big advantage is that it’s an easy way to stop those dangerous targeted spoofed emails that appear to come from [first.last@yourdomain.com] being delivered as targeted phishing email to your end users.
We teach end users to always inspect the from address if they’re skeptical of a message. These types of attacks appear to come from your domain, hence the real need to pick them up and drop them as early as possible.
Now for some reason G Suite seems to acknowledge a SPF Hard Fail but delivers it straight to my users inbox anyway!
This seems bizarre for a few reasons:
- A SPF Hard Fail is a pretty black and white condition that should be able to trigger a simple drop message or move to spam or similar.
- Despite whether or not your SPF record is soft fail (~) or hard fail (-) Google treats the message the exact same way.
- Digging into Mail advanced settings via the G Suite Admin Console, there are no settings for SPF, only DKIM.
- Exchange/365 can achieve this easily with a transport rule inspecting incoming mail for a header with “SoftFail” or “HardFail” and subsequently bounce the message or send it to Spam.
Legacy Issue
Did some digging, wasn’t too surprised to see that other people seem to be scratching their heads around this one too.
Google’s Response
I raised a support case with Google to see what the deal was. I could view the message headers and see that it was being correctly marked as FAIL (see below), but nothing was being done as a result.
Their response —
Dylan: Alright, thank you for your time.
David Clarke: no problems Dylan
Dylan: I’m not able to find any reason why the messages are not being affected by the SPF. Technically speaking they should be bouncing.
David Clarke: ok, well good to hear it’s setup correctly..
David Clarke: do you have a more detailed message trace on your end?
Dylan: I need to route the case to our email specialists for advanced troubleshooting.
Then on the phone with an email specialist (non verbatim obviously)
“An SPF fail (soft or hard) alone is not enough to trigger the G Suite spam filters to mark a message as spam. For G Suite to mark messages as spam they must fail both SPF and DKIM”
Does this seem short sighted or backwards to anyone else? SPF is used for a reason and Google should be using it as a major factor in scoring their messages for spam.
MessageLabs for example use a Hard SPF fail in the correct manner -
If the reported sender publishes a hard-fail SPF policy and the inbound email fails SPF verification, the email is blocked and deleted. The block and delete action enforces the sender’s hard fail policy, which says not to accept emails that are not from my authorized hosts. A 5xx error is returned to the sender. Other types of SPF policy, for example, soft-fail, are ignored.
What I Want
(nudge nudge again G Suite)
- An option in G Suite Gmail advanced settings to drop if SPF fails (hard or soft)
- An option in G Suite Gmail advanced settings to move to Spam if SPF fails (hard or soft)
- Overall, “transport rules” for G Suite that allow Admins to configure much more granular and specific rules based on criteria or actions they define. Much like the O365/Exchange functionality below -
What’s Next?
Well, I’m certainly a fan of DKIM and will move to set that up in the coming days/weeks. I’m hoping that SPF Hard Fail + DKIM will be enough to get Google to drop these dangerous targeted spoofed emails. Stay tuned!
Update
GSuite have now released some advanced phishing and malware settings which I will trial internally, leave a comment if you’ve tried this and how well it’s working.
