Loading Profile...
The parse api allows sendgrid developers to receive incoming emails. But how can we as developers guarantee that the 'from' email address field is from the owner of that email instead of someone else claiming to be that person. Email from fields can be soofed.
One solution is to give each user a specific email to send their content to. But that is much less elegant than having one address (that everyone can remember) that any user can send an email to. Think of how post@posterous.com works versus flickr email uploading with a different email for each user...
Would appreciate getting as much feedback from you as possible since that is very important to our application and probably very interesting to many more developers. The Parse API is much less useful without a robust email spoof solution.
Help get this topic noticed by sharing it on
Twitter,
Facebook, or email.
Twitter,
Facebook, or email.
I’m
concerned.
How does SendGrid prevent email address forgery for incoming emails?
-
Hello,
You are correct that the From address can be easily spoofed, and there is very little than can be done in the general case to ensure it is valid.There are however two methods of sender domain verification that are fairly common today: SPF and DKIM.
SPF, Sender Policy Framework, verifies the MAIL address specified in the SMTP transaction comes from an IP address that is authorized to send for that domain. It doesn't check the From MIME header, but you can do some checks on the envelope to make sure someone is not playing games.
DKIM is a digital signature for a domain, where the public key is published through DNS. The domain the message is signed for can be anything, but again you can check this against the From domain to make sure things match up.
SendGrid will post the verification results of SPF checks and any DKIM signatures along with the message.
So, for the short answer, the best way is to ensure that anyone sending to your address has set up SPF (since this is the easiest to implement). You may need some kind of alert on your end to find senders who do not have SPF. All major ISPs use SPF, so its only small in-house providers that you will have issues with here.
Please let me know if you have any other questions.
Regards,
TimComment -
-
Thanks Tim. To understand your answer better:
1. What do the DKIM and SPF look like to the developer (in the POSTed message)? Are they a percentage value or a true/false?
2. If an SPF/DKIM verification is good, is it reasonable to completely trust that the email was sent from the user owning the 'from' email address?
3. For the same email, is it possible that one value would be positive and the other negative?
4. Roughly, what percentage of emails going through your system will come with an SPF value attached? Or alternately, is there a list of email service providers who have these checks in place? -
-
SPF will show up in a parameter 'spf', and will have a value of 'pass' if the SPF check worked, 'fail' or 'softfail' on failure, or
no SPF record found for domainxyz
if there is no SPF.
DKIM results will be passed in the 'dkim' parameter and will either be 'none', if there are no digitial signatures, or a json string where the domain of the message is the key and the results are the value. For example,
{@e2.sendgrid.biz : fail (bad RSA signature)}
If the SPF and/or DKIM checks pass, you can be fairly certain the message originated from the domain in the from address. It could still be someone at that organization sending on their behalf, or someone who has compromised their systems, but you're 99% of the way there.
It is theoretically possible that one would pass and the other wouldn't, but this would be a configuration error on the sender's side. If they forgot to put a new IP into their SPF record, made a bad DNS change, etc. If someone stole their private key and were signing messages as them, but not from the right IPs, you'd see DKIM passing but not SPF. Fairly unlikely to happen, so what you do in those cases would just depend on the level of security your app requires.
We don't keep any statistics on how many emails come through and pass SPF, but I'd guess its a large percentage. Any ISP I can think of publishes SPF records; its pretty much a standard requirement for deliverability anymore. You can see if a specific domain publishes SPF by visiting this site: http://www.kitterman.com/spf/validate...
I've included the dump output of a test message so you can get a better view of what the post looks like.
Regards,
Tim
Array
(
[headers] => Received: by 127.0.0.1 with SMTP id VlLzUWK1Zj Wed, 20 Apr 2011 07:04:33 -0700 (PDT)
Received: by dev4-md2 (SG, from userid 0) id 7B4AC52E331; Wed, 20 Apr 2011 07:04:33 -0700 (PDT)
Received: from o1.email.getsatisfaction.com (o1.email.getsatisfaction.com [70.63.202.102]) by mx.google.com with SMTP id x32si1425738anx.184.2011.04.20.00.36.59; Wed, 20 Apr 2011 00:37:00 -0700 (PDT)
Received: by 10.68.58.39 with SMTP id n7cs353479pbq; Wed, 20 Apr 2011 00:37:01 -0700 (PDT)
Received: by 10.101.207.21 with SMTP id j21mr3780495anq.138.1303285021111; Wed, 20 Apr 2011 00:37:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=e2.sendgrid.biz; h=date:from:to:message-id:subject:mime-version:content-type :list-unsubscribe; s=smtpapi; bh=sHHwBe6bjGqfaP6efxq5Y9PTmzw=; b= IljFJJ0jaDUQT/9hjr9bWLn412bouyJBAxI4+c5sXmE9Tdn1dyzO9YZnWdXBkPxN 5o0AL2Jtpy4BhhgNL/YW807ZTA6qwGA5zXYMMxkCNbxF+/FxhxwMaQ5VXxoNRbak kzVr3qnPFBjcGi+sMBzwOVULZDcsFOuf2iiV+4++Wq4=
From:
To:
Subject: Testing
Message-Id:
Date: Wed, 20 Apr 2011 07:04:33 -0700 (PDT)
[attachments] => 0
[dkim] => {@e2.sendgrid.biz : fail (bad RSA signature)}
[subject] => Testing
[to] =>
[from] =>
[text] => This is a test
[envelope] => {\"to\":[\"tim@timparsed.sendgrid.net\"],\"from\":\"tim@sendgrid.net\"}
[charsets] => {\"to\":\"UTF-8\",\"subject\":\"UTF-8\",\"from\":\"UTF-8\",\"text\":\"iso-8859-1\"}
[SPF] => softfail
) -
-
Thanks Tim, that was a great answer. -
EMPLOYEE
