Reply to post: Government mail/DNS administration incompetence.

Maybe double-check that HMRC email? UK taxman remains a fave among the phisherfolk

sitta_europea Silver badge

Government mail/DNS administration incompetence.

There's a simple way to detect forged mail. You publish an SPF TXT record in your DNS. Then when ANYONE sends mail which claims to be from you to ANYONE, the RECIPIENT's mail server can check the DNS to see if the sending server is authorized by the (claimed, possibly forged) sender to send that mail. If not, the recipient's server sends the messsage straight to /dev/null without cluttering up anybody's inbox.

Easy.

Well, easy if you're half-way competent. The UK government appears (like, it has to be said, most other governments) not to be competent.

Yes, the government does publish SPF records, in a sort of piecemeal, whack-a-mole way, for myriad .gov.uk domains.

But half the time it gets it wrong.

I've offered to explain it, to test them all, and, where they're broken, to fix them, for nothing.

I might as well talk to my three-legged dog.

The DVLA, for example, has had a broken SPF record for YEARS. First it was dvla.gsi.gov.uk. Then it was dvla.gov.uk.

Here's the Big Clue for the people running gov.uk mail and DNS: Read RFC7208. ALL of it.

Management summary:

(Points are numbered in the same way that points are numbered on the "hackerone" Web forms, where I've already reported all this.)

1. Yes, your SPF record needs to be able to PASS a genuine mail.

1. But it doesn't end there. You see, you can PASS a genuine mail if you only process the first couple of terms in the SPF record. You're not really supposed to do it like that, but that's what people do.

1. The thing is, you also need to be able to FAIL a forged mail. And to do that, you need to process the WHOLE RECORD.

1. For the dvla.gov.uk SPF record you can't do that, because it's broken. You run out of permitted DNS operations before you get to the end of it.

Same problem with the landregistry.gov.uk record for that matter, only worse, because you run out of DNS operations further from the end of the record.

On the plus side, though, I've only been banging on about this for about three years, and it would only take me about three minutes to fix it.

Did I mention Capita? No, well, don't get me started.

I really do have a three-legged dog.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021