The "Whitelist Paradox" leaves you vulnerable

Problem reported by Douglas Foster - 6/3/2026 at 9:31 PM

Submitted

My first email filtering appliance was purchased on a consultants recommendation when I had no idea what I needed. It had some useful features like vendor reputation block list and blocking of executable attachments. It also had an option to block on SPF Failure. As I learned more, and understood that SPF could block malicious impersonation, I decided that it should be enabled. This exposed the first product defect:

The only way to know the impact of a new filtering rule is to turn it on and watch what happens. When the dust settles, hopefully the system admin will still have a job.

So I turned on SPF Failure blocking, and had a problem within 24 hours. An active vendor, call him Example.com, was getting blocked because he had switched his hosting service to AppRiver.com but had never updated his SPF policy. This exposed the second product defect:

SPF checks are treated as just another content filtering rule, and there are only two ways to fix a filtering error: turn off the filter or whitelist the sender

So I considered the implications of whitelisting. All that I needed was a local policy to treat AppRiver.com as part of the published SPF policy, so that messages from malicious sources would be blocked. But that was not an option. Instead, I had to:

Allow Example.Com to send messages with executable attachments.
Ignore malicious impersonation of Example.com, so that impersonators could also send messages with executable attachments.

Therefore, to defend myself against some malicious impersonation, I had to create a security hole to facilitate malicious impersonation of Example.com. That requirement was a bridge too far, so I turned off SPF checking and started to look for a vendor who could implement SPF overrides without creating a security hole in the process. I looked at a lot of products. Eventually, I realized that the problem went way beyond SPF filtering. Every whitelist was a security hole. Recently, a vendor gave me a name for the problem, the "Whitelist Paradox." They understand the problem so well that it has a nickname, but they cannot be bothered to spend your subscription money to fix it.

How easy is this to exploit?

An attacker can assume that your whitelisted domains are vulnerable to impersonation attacks, especially if they do not have DMARC p=reject.
An attacker can study your website to know your industry and your geography, then use that information to make some reasonable guesses about your most important correspondent organizations.
The attacker can impersonate a series of those likely correspondents until his payload gets delivered, and in his hopes, deployed.

Who is vulnerable to this attack? Everyone whose filtering structure is limited to single-attribute rules, which is probably everyone who reads this post.

I have been so upset about this that I tried to file a CVE. They dismissed my submission, so the problem remains unacknowledged.

A Solution

These principles came into focus:

To be safe, every whitelisting must be authenticated
Any message source may require whitelisting
Therefore I needed an architecture where any message can be authenticated by local policy.

But if every allowed message can be authenticated by algorithm or local policy, it is a short leap to realize that every accepted message should be authenticated by algorithm or local policy, whether whitelisted or not. The only obstacle is collecting data and configuring the local policy exceptions (which was generally easier than expected.)

My product search led me to Declude from MailsBestFriend.com.

By design, it could collect a test result without taking action on that result, so I could test new ideas without breaking the inbound mail flow.
It had a rules engine to begin implementing a complex local policy.
It was customizable, so I could implement my own proprietary filtering policy.

Amazingly, the features that I could not buy at any price were achievable using a free product and some development effort.

I toyed with several designs for constructing the exceptions in local policy, and settled on this one:

If the Mail-From address matches <string1> and the server name matches <strng2> and the server name is validated by forward-confirmed DNS, then the message is equivalent to SPF Pass. (On rare occasions, I match to IP address directly, rather than to verified host name.)

Note that authentication by SPF Policy says only one thing:

The message is authentic, and the Mail-From address is free of malicious impersonation.

But authentication by local policy says two things:

The message is authentic, and
Messages from this sender are normally acceptable, which is why the local policy rule was created.

Eventually, I extended the design to support From-address authentication on all messages. It was a simple extension of the SPF solution:

If the message's From address matches <string3> and the Mail-From address matches <string4>, and the Mail-From domain is authenticated by SPF-Pass or equivalent, then the message has the equivalent of DMARC Pass.

Within the last few weeks, I learned that the Reply-To reputation needs to be evaluated when it is different from both the Mail-From address and the message From address. This was also a logical extension of what came before.

If the Reply-To address is <match-string5> and the message From address is <match-string6>, and the message From address is authenticated by DMARC Pass or equivalent, then the Reply-To address is acceptable.

Final note: Blacklisted identifiers do not need to be verified at run-time, so blacklists still work with a single-attribute filtering rule.

2 Replies

Reply to Thread

Kyle Kerst Replied

6/4/2026 at 8:54 AM

Employee Post

Great write up! I wanted to comment on the initial SPF trigger for this with some feedback. When SPF validation blocks a sender because they failed to update their SPF record, I don't consider that a defect—I consider it SPF functioning as designed. One of the reasons whitelists often become an Achilles' heel is that they're frequently used to work around configuration problems that should be corrected at the source.

If a vendor changes their mail infrastructure and fails to update their SPF record, causing messages to be rejected, the appropriate long-term solution is to have the vendor correct their SPF configuration rather than creating permanent whitelist exceptions. Overriding SPF results can introduce bypasses, weaken authentication policy, and create overlapping configurations that become difficult to manage over time.

While a temporary exception may be justified in some business-critical situations, the responsibility for maintaining accurate SPF records ultimately belongs to the sending organization. In most cases, the better approach is to place the onus on the vendor to fix their SPF records rather than weakening your mail authentication controls. If bypasses have to be used I always recommend setting a follow up in 2 weeks to remove said bypass and recheck.

Kyle Kerst

Lead Internal Network/System Administrator

SmarterTools Inc.

smartertools.com

Douglas Foster Replied

6/5/2026 at 3:41 PM

Let's talk about what authentication can and cannot do.

SPF policies are crowd-sourced data. As such, we should expect some data to be missing (result None), malformed (result PermError), or wrong (result false Fail.) Ambiguity (SPF ?ALL and DMARC p=none) and run time problems (TempError) only make things worse.

SPF and DMARC were never intended or expected to be complete solutions for receivers, they were designed to protect domain owners ("brand image") from impersonation. SPF was a response to impersonation of WhiteHouse.gov, and DMARC was a response to impersonation of PayPal.com.

Additionally, SPF and DMARC policies are public information. The attackers know which domains have published policies with hard fail (SPF terminated in -ALL and DMARC with p=reject). It is reasonable to assume that they will attack using other domains than these. So if you only respond to hard fail, you facilitate their ability to attack you.

Receivers should protect themselves from all malicious impersonation. That is only possible if every message is authenticated. SPF and DMARC become inputs to my private knowledge base; they are not an alternative to it. Complete authentication requires additional authentication strategies.

This has important implications:

All results other than Pass are a potential threat, and should be investigated, because malicious impersonation risk has not been ruled out.
The sender's advice for failure disposition is irrelevant. No stranger tells me how to protect my network, and will certainly not inspire me to lower my defenses.
Some impersonation is benign, rather than malicious, and needs to be anticipated in any security design.
Blocking on failure is an incomplete response. If a message is truly malicious impersonation, I need to inspect the message to determine the true identity of the impersonator, so that his identity can be blocked. Malicious intent does not usually change, but tactics do, so any detected attack needs to become a blacklist entry on the attacker identifiers.

But for unknown reasons, there is conventional wisdom that authentication is unimportant and probably impossible. It is neither, and I am operating with some form of authentication on every message, for both the SMTP Mail From and message From addresses.

But returning to the original topic of SPF: SPF defines an acceptable relationship between a Mail From domain and a server. It should be obvious that private knowledge related to SPF will require at least two parts also: a Mail From identity and a server identity. Why did any product become successful by pretending that a two-identifier authentication rule can be correctly overridden with a one-identifier entry in local policy? There is no sane answer to that question.

Back to Community Threads

Please leave this box unchecked

Reply to Thread

Enter the verification text