BreakSPF: How to mitigate the attack

Executive Summary: BreakSPF is an emerging threat that takes advantage of misconfigured SPF records, especially those with overly broad IP ranges. Attackers can exploit these vulnerabilities to send fraudulent emails that appear legitimate.Utilizing solutions like Red Sift OnDMARC can help organizations detect and correct these misconfigurations, enhancing their overall email security posture.​

This article:

  • Introduces BreakSPF, an attack framework that exploits misconfigurations in the Sender Policy Framework (SPF), particularly overly permissive IP ranges.​
  • Explains how attackers leverage shared infrastructures like cloud providers and content delivery networks (CDNs) to bypass SPF checks and send spoofed emails.
  • ​Highlights the importance of using tools like Red Sift OnDMARC to identify and resolve over-permissive SPF configurations, thereby strengthening email security.​

Introduction

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like cloud providers, proxies, or content delivery networks (CDNs). 

BreakSPF capitalizes on this by identifying and abusing such configurations, enabling attackers to bypass SPF checks, send spoofed emails that appear legitimate, and manipulate shared services to evade detection.

BreakSPF attack types

BreakSPF uses three primary forms of attack to exploit SPF vulnerabilities, targeting both HTTP and SMTP servers. These include:

  1. Fixed IP address attacks

In this method, attackers gain long-term control over specific IP addresses, using them as Mail Transfer Agents (MTAs) to send spoofed emails. By leveraging shared infrastructure like cloud servers and proxies, they bypass traditional defenses such as greylisting.

  1. Dynamic IP address attacks

Here, attackers dynamically assess vulnerable domains by monitoring changing outgoing IPs, exploiting them temporarily. This method relies on public infrastructure like serverless functions or CI/CD platforms, making traditional IP blacklisting ineffective. Unlike fixed IP attacks, it avoids reliance on specific IP addresses, increasing complexity and making them more challenging to mitigate.

  1. Cross-protocol attacks

In cross-protocol attacks, hackers embed SMTP data within HTTP packets and use HTTP proxies or CDN exit nodes to forward them to victims. By exploiting shared infrastructures like open HTTP proxies and CDN services, these attacks blend malicious activity with legitimate traffic, making them exceptionally stealthy and difficult to trace.

Misconceptions about SPF that weaken email security

A common misconception about SPF is that it authenticates the visible “From” address seen in email clients. In reality, it verifies the 5321.MailFrom address, also known as the return path or bounce address, only visible in the email headers.

This misunderstanding often leads organizations to incorrectly add every every-sending tool to their SPF records. Email expert Laura Atkins from Word to the Wise explains it well: “One of the errors comes because a lot of folks, even a lot of email experts, don’t always know or remember that there are two separate yet equally important From: addresses in an email.”

SPF should only include mechanisms for messages using your organizational domain in the return path. If a subdomain or a different domain is used in the return path, there’s no need to add it to your main domain’s SPF record since it won’t be checked. Including unnecessary mechanisms wastes valuable SPF lookup space.

Protect against BreakSPF with Red Sift OnDMARC

BreakSPF exploits overly permissive SPF ranges, allowing attackers to bypass DMARC and send malicious emails that appear authenticated. To counter this, it’s essential to review not just failing sources but also passing sources that seem unfamiliar or suspicious.

Red Sift OnDMARC’s Dynamic SPF feature safeguards your domain by continuously analyzing SPF records to identify and resolve over-permissive ranges. This proactive approach helps improve your security posture and reduce your attack surface, ensuring potential vulnerabilities exploited by BreakSPF are addressed before any damage occurs. OnDMARC also detects and fixes gaps in protocol misconfiguration, providing comprehensive protection.

OnDMARC users also benefit from optimized forensic reporting for continuous monitoring across domains and subdomains, including the detection of suspicious IP addresses. Additionally, the Dynamic SPF feature prevents issues with the 10 DNS lookup limit by consolidating all authorized services into a single dynamic include statement. This ensures SPF validation for all legitimate traffic, regardless of the number of sending services used.

Stay ahead of threats like BreakSPFstart your free trial with Red Sift OnDMARC today!

PUBLISHED BY

Red Sift

28 Nov. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
DMARC

Keep your Microsoft Online Email Routing Address secure with Red Sift OnDMARC

Faisal Misle

Every Microsoft 365 tenant includes a default domain in the format tenantname.onmicrosoft.com. This is known as the Microsoft Online Email Routing Address (MOERA). What many don’t realize is that attackers have started using these domains to impersonate organizations in phishing attacks. If left unmonitored, MOERA domains can become a blind spot in your email…

Read more
News

Red Sift OnDMARC ranked #1 in EMEA and Europe for DMARC in…

Francesca Rünger-Field

G2’s Spring 2025 Report is here, and we’ve got some exciting news to share! Red Sift OnDMARC has been named the #1-rated DMARC solution in both EMEA and Europe, and that’s just the start. We also took the #1 spot in the Mid-Market Results Index and Mid-Market Usability Index, and were featured in 18…

Read more
DMARC

The Mail Check deadline has passed: Is your organisation at risk? 

Jack Lilley

The National Cyber Security Centre (NCSC) proposed changes to Mail Check services came into effect on 24 March 2025, including the ending of DMARC aggregate reporting. Organisations who are yet to comply must now seek an alternative provider or risk exposure to harmful cybersecurity incidents. This change comes as a measure to expand the…

Read more
Awards

Red Sift named a Top 50 company in 2025 Emerging Stars Awards

Jack Lilley

We’re pleased to share that Red Sift has been named Best Performing Company – Security & Infrastructure in the 2025 Emerging Stars Awards. These awards, part of the Megabuyte100 series, recognise the UK’s 50 best-performing scale-up technology companies based on solid financial performance, from over 800 entries.  Being recognised in this category reflects the…

Read more