Sunday, January 25, 2009

Google - SPF records and spoofing from Google Apps

If you receive email from Google either google.com, gmail.com or the myriad of domains hosted by Google eg Google Apps Premier, you can use the published SPF records to preventing unauthorised spoofing.

To find the current SPF record you can do

    $ dig txt _spf.google.com
and you'll get
    ;; QUESTION SECTION:
    ;_spf.google.com. IN TXT

    ;; ANSWER SECTION:
    _spf.google.com. 300 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all"
If you have a mail server that doesn't have SPF record support, then you can use these IPs to control flow.

It is not possible by the way for a Google Apps customer on one domain to impersonate (ie spoof) another, since the backend email system prevents this.

No comments: