SPF Bypass

Bypassing Sender Policy Framework with IP collision


SPF

Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators.[1] The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Source: http://en.wikipedia.org


SPF Example

mail.example.pl. IN TXT "v=spf1 mx -all"        << all MX servers are allowed
mail.example.pl. IN TXT "v=spf1 ip4:12.23.34.45"        << only one IP is allowed

Check syntax here


Collision


When two domains are using same mailbox provider.
mail.domainA.pl. IN TXT "v=spf1 mx -all"
mail.domainB.pl. IN TXT "v=spf1 mx -all"
DNS will resolve MX and A (AAA) records for both domains. Those records will point to one IP. Those two (and more) will be able to send spoofed emails (of course if they have shell access or via smtp injection)


DNS

SPF can be also bypassed by spoofing DNS