efa-project.org

I'm seeing spam that seems to originate from our domain getting through without a problem.
SPF for our domain is set as strict as possible with -all to hardfail on no match.
At closer inspection of the headers and how EFA checks SPF the issue seems clear:
EFA is not checking the domain in the 'From' entry, it's checking the domain in the 'Return-Path' entry.
That's not how it's supposed to work!

The 'Return-Path' entry is easily spoofed. Right now there's a spam run going on using 'return@edition.cnn.com' which is a legitimate domain but doesn't have any SPF records.

Can you give me some hard details, such as sanitized logs/headers/reports showing this happening?

SPF should be looking at the Envelope-From.

SPF by itself only looks at the envelope-from (MAIL FROM). It does not check the header From or check alignment. This envelope-from is reflected in the Return-Path.

https://tools.ietf.org/html/rfc7208
https://en.wikipedia.org/wiki/Sender_Policy_Framework

"SPF alone, though, is limited only to detect a forged sender claimed in the envelope of the email which is used when the mail gets bounced.[1] Only in combination with DMARC can it be used to detect the forging of the visible sender in emails (email spoofing[2]), a technique often used in phishing and email spam. "

https://tools.ietf.org/html/rfc7489
https://en.wikipedia.org/wiki/DMARC

"SPF checks that the IP address of the sending server is authorized by the owner of the domain that appears in the SMTP MAIL FROM command. (The email address in MAIL FROM is also called envelope-from or 5321.MailFrom.) In addition to requiring that the SPF check pass, DMARC additionally checks that 5321.MailFrom aligns with 5322.From."

In order to enable SPF From alignment, you need a DMARC record.