BreakSPF: How to mitigate the attack

Executive Summary: BreakSPF is an emerging threat that takes advantage of misconfigured SPF records, especially those with overly broad IP ranges. Attackers can exploit these vulnerabilities to send fraudulent emails that appear legitimate.Utilizing solutions like Red Sift OnDMARC can help organizations detect and correct these misconfigurations, enhancing their overall email security posture.​

This article:

  • Introduces BreakSPF, an attack framework that exploits misconfigurations in the Sender Policy Framework (SPF), particularly overly permissive IP ranges.​
  • Explains how attackers leverage shared infrastructures like cloud providers and content delivery networks (CDNs) to bypass SPF checks and send spoofed emails.
  • ​Highlights the importance of using tools like Red Sift OnDMARC to identify and resolve over-permissive SPF configurations, thereby strengthening email security.​

Introduction

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like cloud providers, proxies, or content delivery networks (CDNs). 

BreakSPF capitalizes on this by identifying and abusing such configurations, enabling attackers to bypass SPF checks, send spoofed emails that appear legitimate, and manipulate shared services to evade detection.

BreakSPF attack types

BreakSPF uses three primary forms of attack to exploit SPF vulnerabilities, targeting both HTTP and SMTP servers. These include:

  1. Fixed IP address attacks

In this method, attackers gain long-term control over specific IP addresses, using them as Mail Transfer Agents (MTAs) to send spoofed emails. By leveraging shared infrastructure like cloud servers and proxies, they bypass traditional defenses such as greylisting.

  1. Dynamic IP address attacks

Here, attackers dynamically assess vulnerable domains by monitoring changing outgoing IPs, exploiting them temporarily. This method relies on public infrastructure like serverless functions or CI/CD platforms, making traditional IP blacklisting ineffective. Unlike fixed IP attacks, it avoids reliance on specific IP addresses, increasing complexity and making them more challenging to mitigate.

  1. Cross-protocol attacks

In cross-protocol attacks, hackers embed SMTP data within HTTP packets and use HTTP proxies or CDN exit nodes to forward them to victims. By exploiting shared infrastructures like open HTTP proxies and CDN services, these attacks blend malicious activity with legitimate traffic, making them exceptionally stealthy and difficult to trace.

Misconceptions about SPF that weaken email security

A common misconception about SPF is that it authenticates the visible “From” address seen in email clients. In reality, it verifies the 5321.MailFrom address, also known as the return path or bounce address, only visible in the email headers.

This misunderstanding often leads organizations to incorrectly add every every-sending tool to their SPF records. Email expert Laura Atkins from Word to the Wise explains it well: “One of the errors comes because a lot of folks, even a lot of email experts, don’t always know or remember that there are two separate yet equally important From: addresses in an email.”

SPF should only include mechanisms for messages using your organizational domain in the return path. If a subdomain or a different domain is used in the return path, there’s no need to add it to your main domain’s SPF record since it won’t be checked. Including unnecessary mechanisms wastes valuable SPF lookup space.

Protect against BreakSPF with Red Sift OnDMARC

BreakSPF exploits overly permissive SPF ranges, allowing attackers to bypass DMARC and send malicious emails that appear authenticated. To counter this, it’s essential to review not just failing sources but also passing sources that seem unfamiliar or suspicious.

Red Sift OnDMARC’s Dynamic SPF feature safeguards your domain by continuously analyzing SPF records to identify and resolve over-permissive ranges. This proactive approach helps improve your security posture and reduce your attack surface, ensuring potential vulnerabilities exploited by BreakSPF are addressed before any damage occurs. OnDMARC also detects and fixes gaps in protocol misconfiguration, providing comprehensive protection.

OnDMARC users also benefit from optimized forensic reporting for continuous monitoring across domains and subdomains, including the detection of suspicious IP addresses. Additionally, the Dynamic SPF feature prevents issues with the 10 DNS lookup limit by consolidating all authorized services into a single dynamic include statement. This ensures SPF validation for all legitimate traffic, regardless of the number of sending services used.

Stay ahead of threats like BreakSPFstart your free trial with Red Sift OnDMARC today!

PUBLISHED BY

Red Sift

28 Nov. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Certificates

TLS certificates are changing: What you need to know

Red Sift

Executive summary: TLS certificates are about to get significantly shorter-lived. Starting 15 March 2026, newly issued public-trust certificates will max out at 200 days—and just three years later, that lifespan drops to 47 days. Backed by Google, Apple, and Mozilla, this shift aims to make the web safer through fresher data, faster failover, and…

Read more
DKIM

The hidden threat: How misconfigured DKIM enables replay attacks

Red Sift

Email authentication isn’t just an IT concern. It protects your brand and customers. A single misstep can let attackers spoof your domain, send phishing emails, and destroy customer trust. One of the most dangerous methods? The DKIM replay attack. In this post, we’ll break down how undersigned DKIM keys and related misconfigurations open your…

Read more
BIMI

Why DMARC and BIMI are a business priority

Jack Lilley

Email threats aren’t slowing down, and neither should your authentication strategy. In our recent joint webinar with Marigold, “From DMARC to BIMI: Navigating the New Email Authorization Landscape,” we broke down what today’s evolving standards mean for both security and marketing teams—and how to take action now with our free Red Sift Investigate tool.…

Read more
ASM

Zoom stops zooming: Why active monitoring is essential

Billy McDiarmid

​On April 16, 2025, Zoom experienced a significant global outage that disrupted video conferencing services and access to its website for thousands of users, as well as their corporate email for all their employees. It was quickly identified as a domain name registration status problem. Despite being a critical name for Zoom, somehow, the…

Read more