Blocking spoofed internal email from external sources
Last Updated: 2007-06-26 03:03:28 UTC
by Adrien de Beaupre (Version: 1)
One suggestion from Chris in the UK.
SPF is a red herring here - you surely know what IP address(s) are yours (and hence may send mail using *your* domain). You don't need SPF to tell you this. Simply reject any such mails received from off-net.
Unfortunately, this will cause false positives e.g where someone posts to a remote mailing list. The mail goes out then comes back in from a remote IP, (the list server) with your domain still as From: header. Hence the sender doesn't get their own copy, nor does anyone else in your organisation who subscribes.
One solution is to add a special header to all mail you originate, so you can recognise it if comes via such a route. This isn't cast iron, as it could be spoofed by a determined attacker, so some form of signing would be better in theory (domain keys?). Nevertheless, I know some UK university sites who use the header method with good results.
Then there's the remote e-card type sites that originate greeting mails with your domain - but losing these is probably not the end of the world...