Upwork Inc. violates its own DMARC and SPF policy
3 pointsby tmcdos4 hours ago2 comments
  • KomoD3 hours ago
    > The SPF policy for upwork.com specifies that mail.clinchtalent.com and all IP addresses that are listed by spf.mandrillapp.com are allowed to send email on behalf of upwork.com

    No, it also lists Valimail as being able to make decisions on SPF. That's what the "include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email" part is.

    https://support.valimail.com/en/articles/8466461-valimail-sp...

    • tmcdos3 hours ago
      According to https://tools.sendmarc.com/spf-policy-test/upwork.com/198.24... v5142.v530814cf.use4.send.mailgun.net or c66.c5341538.usw1.send.mailgun.net are not allowed to send emails on behalf of upwork.com You can also check through https://spf.access.nu/ or https://dmarcian.com/spf-survey/ that IPs belonging to MailGun are not allowed to send emails for upwork.com
      • KomoD3 hours ago
        Those tools aren't using the macro which means they are not following the RFC, stop using crappy online tools and wasting people's time.

        You can read about it here: https://datatracker.ietf.org/doc/html/rfc7208#section-7

        dig +short TXT "159.112.254.142._ip.v5142.v530814cf.use4.send.mailgun.net._ehlo.upwork.com._spf.vali.email"

        "v=spf1 include:mailgun.org -all"

        --

        dig +short TXT mailgun.org

        "v=spf1 include:_spf.mailgun.org include:_spf.eu.mailgun.org -all"

        --

        dig +short TXT _spf.mailgun.org

        "v=spf1 include:_spf1.mailgun.org include:_spf2.mailgun.org ~all"

        --

        dig +short TXT _spf2.mailgun.org

        "v=spf1 ip4:104.130.122.0/23 ip4:146.20.112.0/26 ip4:161.38.192.0/20 ip4:143.55.224.0/21 ip4:143.55.232.0/22 ip4:159.112.240.0/20 ip4:198.244.48.0/20 ip4:204.220.168.0/21 ip4:204.220.176.0/20 ~all"

        And there's 159.112.240.0/20.

        --

        The SPF lookup limit is 10 which means that this way of doing it is totally valid.

        And here's where you can read about the lookup limit: https://datatracker.ietf.org/doc/html/rfc7208#section-4.6.4

        • tmcdos2 hours ago
          Got it. Thanks and apologies.
  • tmcdos3 hours ago
    After some investigation, it looks like only mailgun.org is declared in ValiMail but not mailgun.net, e.g. a DNS query for 198.244.56.66._ip.c66.c5341538.usw1.send.mailgun.net._ehlo.upwork.com._spf.vali.email returns "v=spf1 include:mailgun.org -all"