Why is it acceptable for my mail from to be different to my from header?

Question

There's something that's always bothered me about SPF, why doesn't it validate the From header?

As I understand it, an SMTP server will SPF validate the hostname provided during the MAIL FROM or ENVELOPE FROM SMTP commands (my examples are from telnet'ing to gmail-smtp-in.l.google.com:

MAIL FROM:<[email protected]>

Gmail then does its thing, making sure my SPF record for example.com permits my IP for sending from. But here's where it seems to fall down, couldn't I just register a domain, set up my TXT and SPF records correctly for my IP, then send? Full example:

$ telnet gmail-smtp-in.l.google.com 25
Trying 173.194.68.27...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP m6si2285029qao.20 - gsmtp
HELO ec2-23-22-210-XXX.compute-1.amazonaws.com
250 mx.google.com at your service
MAIL FROM:<[email protected]>
250 2.1.0 OK m6si2285029qao.20 - gsmtp
RCPT TO:<(a real gmail address)@gmail.com>
250 2.1.5 OK m6si2285029qao.20 - gsmtp
DATA
354  Go ahead m6si2285029qao.20 - gsmtp
From: "Litmus" <[email protected]>
To: <[email protected]>   
Subject: Welcome to Litmus!
Date: Thu, 27 June 2013 16:24:30 -0500

Welcome!
.
250 2.0.0 OK 1372363723 m6si2285029qao.20 - gsmtp
QUIT
221 2.0.0 closing connection m6si2285029qao.20 - gsmtp
Connection closed by foreign host.

Inspecting the headers from gmail reveals:

Received-SPF: pass (google.com: best guess record for domain of [email protected] designates 23.22.210.XXX as permitted sender) client-ip=23.22.210.XXX;

Looking at the message in Sparrow:

I thought the point of SPF was to help protect my domain (as a sender) from being spoofed? But if the sender has SPF correctly configured (not exactly difficult or expensive to do - I just did it with a free micro ec2 instance above) then it doesn't seem to apply?

I did notice that Gmail put my message in spam in 4 out of 5 tests I performed, but I assume that's because of the reputation of EC2 IPs? Or is there something I'm missing about SPF that Gmail is picking up on?

What am I missing?

Answer 1

This might sound circular. It is because the From header cannot be verified in the way you have described.

SPF is not designed to verify header lines in this way.

You have to accept the From: line for what it is, something subject to the whims of the composer of the email.

Remember, even if the email address itself was trusted, many clients display just the stuff in quotes. They would just as easily show what the composer wanted in these two cases:

From: "night" <[email protected]>
From: "day" <[email protected]>

Do I think this is too liberal? Yeah. Is there anything that SPF can do about it? No.

DKIM is probably what you are looking for, it is focused on header validation.