SMTP Pentest Guide
Back to Email Authentication Attacks

SPF-DMARC Inconsistencies

This attack exploits inconsistencies between what SPF verifies (HELO and MAIL FROM) and what DMARC uses for alignment (typically MAIL FROM). By manipulating these identifiers, attackers can bypass email authentication mechanisms.

Attack Summary: Exploiting the differences in how SPF and DMARC process email identifiers to bypass authentication checks and spoof legitimate senders.

Background: Email Identifiers

To understand this attack, it's important to know that SMTP defines multiple identifiers:

  • HELO/EHLO: The domain name that the sending server identifies itself with
  • MAIL FROM: The envelope sender address (usually not displayed to end users)
  • From header: The address shown to recipients in their email clients

SPF and DMARC treat these identifiers differently:

  • SPF (RFC 7208): Checks both HELO and MAIL FROM. If either passes, SPF can pass.
  • DMARC (RFC 7489): Uses MAIL FROM for alignment tests with the From header. If MAIL FROM is empty, it uses HELO.

Attack Methodology

This attack exploits the inconsistency between what SPF verifies and what DMARC uses for alignment tests. There are two main variants of this attack:

Variant 1: Using Non-Existent Subdomain
Exploiting how SPF and DMARC handle non-existent domains

In this variant, the attacker uses a non-existent subdomain in the MAIL FROM field while spoofing a legitimate domain in the From header.

Attack Example

Using a non-existent subdomain in MAIL FROM

HELO attacker.com\nMAIL FROM: <any@notexist.bank.com>\nRCPT TO: <victim@victim.com>\nDATA\nFrom: <sec@bank.com>\nTo: <victim@victim.com>\nSubject: Security Alert\n\nDear Customer,\nWe are writing to inform you that...\n.\n
Explanation: In this example, the attacker uses 'notexist.bank.com' in the MAIL FROM field. Since this subdomain doesn't exist, it doesn't have an SPF record. SPF will then fall back to checking the HELO domain (attacker.com), which the attacker controls. Meanwhile, DMARC uses 'notexist.bank.com' for alignment with 'bank.com' in the From header, which passes in relaxed mode.

How It Works

  1. Attacker sends an email with HELO set to their controlled domain (attacker.com)
  2. MAIL FROM is set to a non-existent subdomain of the target (notexist.bank.com)
  3. From header is set to an address at the target domain (sec@bank.com)
  4. SPF cannot verify the non-existent subdomain, so it falls back to verifying HELO
  5. Since the attacker controls attacker.com, the SPF check for HELO passes
  6. DMARC uses MAIL FROM (notexist.bank.com) for alignment with the From header (bank.com)
  7. In relaxed mode, DMARC considers these aligned because they share the same registered domain
  8. The email passes authentication and appears to come from the legitimate domain
Variant 2: Using Subdomain of Target
Exploiting relaxed alignment in DMARC

In this variant, the attacker uses a subdomain of the target domain in the MAIL FROM field that they control or that has no SPF record.

Attack Example

Using a controlled subdomain in MAIL FROM

HELO attacker.com\nMAIL FROM: <any@sub.bank.com>\nRCPT TO: <victim@victim.com>\nDATA\nFrom: <sec@bank.com>\nTo: <victim@victim.com>\nSubject: Security Alert\n\nDear Customer,\nWe are writing to inform you that...\n.\n
Explanation: In this example, the attacker uses 'sub.bank.com' in the MAIL FROM field. If this subdomain has no SPF record or has a permissive one, SPF might pass. DMARC will use 'sub.bank.com' for alignment with 'bank.com' in the From header, which passes in relaxed mode because they share the same registered domain.

How It Works

  1. Attacker identifies a subdomain of the target that has no SPF record or a permissive one
  2. Attacker sends an email with MAIL FROM set to this subdomain (sub.bank.com)
  3. From header is set to an address at the target domain (sec@bank.com)
  4. If the subdomain has no SPF record, SPF might return a "none" result, which some receivers treat as a pass
  5. DMARC uses MAIL FROM (sub.bank.com) for alignment with the From header (bank.com)
  6. In relaxed mode, DMARC considers these aligned because they share the same registered domain
  7. The email passes authentication and appears to come from the legitimate domain

Impact

This attack allows attackers to:

  • Bypass SPF and DMARC authentication mechanisms
  • Send emails that appear to come from legitimate domains
  • Conduct phishing attacks with increased credibility
  • Potentially damage the reputation of the spoofed domain

Detection

Organizations can detect these attacks by:

  • Monitoring for emails with mismatched MAIL FROM and From header domains
  • Implementing additional checks beyond standard SPF and DMARC
  • Using email security gateways that can detect these inconsistencies
  • Analyzing email headers for suspicious patterns

Mitigation

To protect against these attacks, organizations should:

  • Implement strict DMARC policies: Use "p=reject" in DMARC records to reject emails that fail authentication
  • Use strict alignment in DMARC: Configure "aspf=s" and "adkim=s" in DMARC records to require exact domain matches
  • Publish SPF records for all subdomains: Ensure all subdomains have appropriate SPF records
  • Monitor DMARC reports: Regularly review DMARC reports to identify authentication failures
  • Implement additional email security measures: Use email security gateways with advanced threat protection

Testing

Security professionals can test for this vulnerability using the following approach:

  1. Set up a test email server with the ability to manipulate SMTP headers
  2. Send test emails with various combinations of HELO, MAIL FROM, and From header values
  3. Check if the emails pass SPF and DMARC authentication
  4. Use the "espoofer" tool to automate testing for these vulnerabilities

References

  • Chen, J., Jiang, J., Duan, H., Weaver, N., Wan, T., & Paxson, V. (2020). "Forwarding-Loop Attacks in Content Delivery Networks." In Proceedings of the Network and Distributed System Security Symposium (NDSS).
  • RFC 7208: "Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1." https://tools.ietf.org/html/rfc7208
  • RFC 7489: "Domain-based Message Authentication, Reporting, and Conformance (DMARC)." https://tools.ietf.org/html/rfc7489
  • Chen, J., Duan, H., Weaver, N., Paxson, V., & Jiang, J. (2021). "Measuring and Mitigating Email Sender Spoofing Attacks." In Proceedings of the 30th USENIX Security Symposium.
  • espoofer: "Email Spoofing Testing Tool." https://github.com/chenjj/espoofer
Back to Email AttacksNext: DKIM-DNS Inconsistencies