SPF records can allow MAIL FROM:user1@example.com but deny user2@example.com (even if it’s rare)

Overheard (“e-verheard” maybe?) someone say that if your domain’s SPF TXT record allows a certain server to send email on your behalf, any user @ your domain can use that server.

Not true. It’s rarely done, but you can have an SPF record that gives user1@example.com a PASS but gives user2@example.com a FAIL!

Two cases where such a config makes sense:

  • when a hacker sent spam or phishing emails via your mailserver using a specific MAIL FROM: address, and you want a belt-and-suspenders approach to making sure that address isn’t used again
  • when you have a limited set of allowed MAIL FROM: addresses, but others can’t be stopped at the SMTP AUTH level (i.e. you can’t stop someone from attempting to use anyoldthing@example.com) so you need to tell the world what’s allowed

We’re not talking about Marketo, to be clear. As I’ve mentioned many times before, your From: domain’s SPF record doesn’t actually matter with Marketo.[1] Whether it’s marked Verified or not in Admin » Email makes no difference. (I trust Adobe knows this, but removing it would kind of be weird after all these years, so it sticks around.)

But let’s say you’re using another MAP/ESP (or your corporate mailserver, an even better example) where your SPF record is actually used. That is, where the envelope MAIL FROM: (not just inner From: header) is some.user@example.com, another.user@example.com, etc.

If you use SPF’s %{l} macro, it’s automatically expanded to the local-part (left-hand side) of the email address. For this email address:

some.user@example.com

%{l] is expanded to:

some.user

So if you have this SPF record:

v=spf1 -exists:%{l}.deny.example.com +all

The recipient’s mailserver will do a DNS lookup for some.user.deny.example.com.

If the record exists, the result is SPF FAIL (note the - instead of +). If it doesn’t exist, the default +all is used, so every other email address is an SPF PASS.

You can see how the same concept can be reversed to create a list of allowed local-parts while denying everything else. The more you know!

Notes

[1] SPF for the SMTP envelope MAIL FROM: domain does matter, but that’s never the same as your Marketo From: domain.