June 7, 2021

Is an SPF record with _spf.google.com secure?


I am currently using [forwardemail.net](https://forwardemail.net) to forward emails from my custom domain to my Gmail account. I have also set it up following their instruction to be able to send emails from my Gmail account using the custom domain.

One of the steps is to add the following DNS TXT record:

`v=spf1 a mx include:spf.forwardemail.net include:_spf.google.com -all`

Is it a potential concern in any way to have `_spf.google.com` included in the SPF record? Could anyone then easily send emails using their Gmail account with my email address without it being possible to detect in any way?

Comments

omers

> Is it a potential concern in any way to have _spf.google.com included in the SPF record? Could anyone then easily send emails using their Gmail account with my email address without it being possible to detect in any way?

It’s true that adding Google, Microsoft, or any other major provider to your SPF record gives large swaths of IPs permission to use your domain as a source address. However, most of them–Google included–do not allow senders to arbitrarily specify a from address. I cannot go in to my Google account and send mail from your domain because it’s not attached to my account. In order to attach it to my account I would need access to your domain’s DNS to add a verification record. If I can do that, you have bigger problems.

In short, you’re giving Google carte blanche to send from your domain using any of their IPs but that doesn’t mean anyone with a Google account can actually do so. In so far as SPF is a “safety” mechanism adding Google or any other provider is generally no less safe.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.