I used to think that SPF records for subdomains were completely independent from the parent domain.
I'm trying out a domain email service provider that advises:
Using a subdomain you will still be able to send emails from your root domain e.g. “you@mydomain.com”.`
Thus, I've setup SPF for a particular subdomain as v=spf1 include:mailgun.org ~all
I've tried sending a test message with it to a well known webmail provider, and, to my surprise, SPF passed.
Here are the relevant email headers:
Delivered-To: myotheremail@gmail.com
Return-Path:
Received: from rs224.mailgun.us (rs224.mailgun.us. [209.61.151.224])
by mx.google.com {...}
Received-SPF: pass (google.com: domain of bounce+7e6474.bcb15-myotheremail=gmail.com@mailgun.mydomain.tld designates 209.61.151.224 as permitted sender) client-ip=209.61.151.224;
Sender: myusername=mydomain.tld@mailgun.mydomain.tld
From: myusername@mydomain.tld
To: myotheremail@gmail.com
The Received-SPF line has me worried that, for some twisted reason, SPF can succeed just based on the domain of the bounce address - is that the case?
I've also noticed that Sender is actually set to be from the subdomain, but that is not shown in any way in the webmail interface - does that mean that subdomains can basically get away with impersonating emails for the parent domain? Or even for other domains?
No comments:
Post a Comment