We recently encountered some strange SPF issues with one of our customers. We are not able to reliably determine if a message, claming to be from their own domain is real or not using SPF. The reason... they are including Salesforce in their SPF records and Salesforce is using a macro that can cause issues.

Let's See The Issue

We will use the domain example.com, including Salesforce exactly like our customer has done. Here is a sample SPF record for example.com.

v=spf1 ip4:206.168.70.196 include:_spf.salesforce.com include:spf.protection.outlook.com -all

The above SPF record is nice and strong. It lays out a single IP address mail is allowed to come from, plus includes a number of organizations that this domain also uses for different services. It ends with -all which means no mail should be accepted from example.com unless the IP address of the sender falls within the ranges specified in the SPF record.

When a server receives a message from example.com, it can use the SPF record to verify if the IP address of the message comes from an authorized IP address. We are going to break it down, using an IP address of 35.80.210.20 which is owned by Salesforce and should result is a PASS that the sender of the message is genuine.

Evaluating SPF Mechanisms

• ip4:206.168.70.196

  ---

  No match, keep checking...

  ---

• include:_spf.salesforce.com

  ---

  This is an include, telling us to include SPF data that Salesforce is publishing. When we look it up, we get this:

  v=spf1 exists:%{i}._spf.mta.salesforce.com -all

  That SPF mechanism is a macro, the server performing the SPF check is supposed to replace the ${i} with the IP address of the sender. After the substution with the IP address we get:

  35.80.210.20._spf.mta.salesforce.com

  We now have a host name of 35.80.210.20._spf.mta.salesforce.com and the server doing the SPF check needs to see if that host name resolves. Our SPF check checks if the host is valid, yes - it resolves so the SPF check is valid. Odds are good the message is genuine.

A Virus Attacks

Now we can run through the same tests when a spam message for computer virus has generated a message, claming to be from example.com. It should be easy to detect as fake becuase it will not come from an IP address included in the domain's SPF list. Our IP address will be 123.200.123.200, lets run through the tests again.

Evaluating SPF Mechanisms

• ip4:206.168.70.196

  ---

  No match, keep checking...

  ---

• include:_spf.salesforce.com

  ---

  This is an include, telling us to include SPF data that Salesforce is publishing. When we look it up, we get this:

  v=spf1 exists:%{i}._spf.mta.salesforce.com -all

  That SPF mechanism is a macro, the server performing the SPF check is supposed to replace the ${i} with the IP address of the sender. After the substution with the IP address we get:

  123.200.123.200._spf.mta.salesforce.com

  We now have a host name of 123.200.123.200._spf.mta.salesforce.com and the server doing the SPF check needs to see if that host name resolves. Our SPF check checks if the host is valid, yes - it resolves so the SPF check is valid. Odds are good the message is genuine.