From time to time, I get customer requests for assistance on stopping phishing messages that spoof the sender’s own organization. For example, I might get mail from cliff @ microsoft.com, sending mail to myself. As a user, I might be tricked into thinking that since this is an internal message, the message is legitimate. Furthermore, that email address might be in my address book and therefore once it hits my inbox, supposing that it gets past my spam filter, the message is rendered using the full first name and last name of the actual person with that email address (note: that email address does not actually exist internally).
This is important in phishing campaigns because phishers will attempt to fool users by sending mail internally. One way to combat this is using SPF records. If you set up your SPF record with a hard fail (-all), then if anyone tries to send mail to you spoofing you, then the spam filter will look at that and because of the hard fail, will have a much greater chance of assigning the message as spam.
However, more domains on the Internet use soft fails, ~all, as opposed to hard fails. I’ve even seen some other writers recommend the use of ~all instead of –all because if you don’t remember all the IPs that you send mail as, using hard fails hurt you more than soft fails do. Conversely, soft fails do less damage and assure better delivery. Microsoft, in its SenderID wizard, recommends the use of hard fails (in order to combat spoofing) but both arguments have their points. I usually recommend hard fails if you know all the IPs that send mail as you (and most big organizations don’t know), or don’t have to worry about forwarding mail like Hotmail or Gmail.
Unfortunately, if you use a soft fail, then the spam filter will only use that as a weak input into the spam filter. The fact is, SPF is designed to assist others in determining if your domain has been spoofed, but it functions better as a whitelisting technology. But here’s the problem:
This is a contradiction using today’s technologies. DKIM certainly won’t help you block spoofed mail unless you use ADSP (and even then it’s not great at it), and SPF works better with soft fails. So what do you do?
What you could do is create a one-off rule for your own domain. I’m going to get specific to our own service, but you could do the following:
Using this, outbound mail from one of your 3rd party associates like marketers will most likely make it through others’ filters since they use an SPF soft fail as a lower weight in the filter. However, if anyone tries to spoof mail to you, the mail will be flagged as spam because it will fail the SPF check and you are blocking anyone who sends mail as you and fails that check.
The trade off here is that there exists a possibility that legitimate mail “from” you (sent by others) to the Internet might get flagged as spam. However, that same legitimate mail, when sent to you will be flagged as spam. So, let the buyer beware – if you want to get tighter on security and protect your own organization, you will get some false positives (probably).
Of course, if you are a high risk target, you’re probably prepared to accept that risk and the quality of the content of those messages is not that important anyhow. If it were a legitimate mail, it would be in your SPF record and pass the check.
This is not foolproof, of course. However, it is one mechanism that you can implement to stop spammers from taking advantage of you.
Okay, "if you don’t remember all the IPs that you send mail as" better don't try FAIL. But maybe medium size organizations limited to one country at least know all their IP blocks, rarely changing static IPs. If all their 3rd party e-mail service providers (= bulk mailers) already get a PASS somehow, they could still arrange a FAIL for "the rest of the world" (= any IP not belonging to their known blocks).
Unless employees (or similar) are allowed to use their organizational mail addresses at home (outside of the organization) with whatever they like as e-mail service provider. But in this scenario your recipe also wouldn't help, and a SOFTFAIL (designed for temporary tests) is actually too hard, a NEUTRAL result would be correct.
Yes, you could do a neutral... but I still recommend soft fail. Neutral is nearly useless for others to detect spoofing. As I said, there are advantages both ways.