How did the UPS SPF scam work and what vulnerabilities did it exploit?
Matthew Whittaker
Co-founder & CTO, Suped
Published 14 Jun 2025
Updated 16 Aug 2025
10 min read
The UPS SPF scam was a notable incident that highlighted critical vulnerabilities in email authentication protocols, particularly the Sender Policy Framework (SPF). This scam allowed malicious actors to send highly convincing phishing emails that appeared to originate from legitimate UPS email addresses, even displaying a legitimate brand logo in some email clients. This level of authenticity made these phishing attempts incredibly deceptive and dangerous for recipients.
The core issue revolved around a combination of factors: how SPF records were configured, the way DMARC policies interpreted these configurations, and the handling of email authentication by major email service providers. Understanding this scam is crucial for any organization or individual looking to bolster their email security against sophisticated phishing tactics. It demonstrates that even with common authentication mechanisms in place, misconfigurations can create significant security gaps.
While UPS actively fights fraud and scams, this incident showcased how attackers can exploit subtle technical nuances to bypass traditional security layers, making emails appear trustworthy despite their malicious intent. The scam effectively leveraged the trust users place in established brands and the visual cues of authenticity provided by email clients.
The UPS SPF scam, also known as the "BreakSPF" attack, primarily exploited a specific interaction between a misconfigured SPF record, a relaxed DMARC policy, and the way some email platforms processed these authentication checks. The goal was to make a phishing email, often requesting payment or personal information, appear as if it came directly from a legitimate UPS source.
The mechanism of the attack
Attackers crafted emails where the envelope sender (also known as the Mail From or Return-Path) was set to a legitimate ups.com address, such as something@ups.com. Crucially, these emails were sent through an IP address belonging to Microsoft 365 (formerly Office 365). Since UPS's SPF record included Microsoft's sending infrastructure, the SPF check for the Return-Path domain would pass. This is a key part of how phishing emails can pass authentication checks.
However, the visible From header (RFC5322.From) of the email would be a spoofed subdomain, such as delivery-update.ups.com. Due to DMARC's relaxed alignment policy (p=relaxed), if SPF passed for the organizational domain (ups.com) via the Return-Path, the DMARC check would also pass, even though the From header domain did not exactly match the Return-Path domain. This technicality created a loophole, allowing the spoofed emails to successfully authenticate.
Compounding this issue, many brands like UPS implement Brand Indicators for Message Identification (BIMI) to display their logo next to authenticated emails. Since the emails passed DMARC due to the SPF relaxed alignment, the legitimate UPS logo appeared in Gmail and other supporting email clients. This visual cue of authenticity, intended to build trust, was paradoxically exploited by scammers, making their fraudulent emails incredibly convincing. The presence of the blue checkmark or brand logo in the recipient's inbox significantly lowered their guard against what was, in reality, a phishing attempt. You can learn more about how SPF, DKIM, and DMARC work.
Vulnerabilities exploited
The UPS SPF scam exploited several layers of vulnerabilities, primarily centered around misconfigurations and a fundamental understanding of how email authentication protocols interact. It wasn't a single flaw, but rather a perfect alignment of various elements that allowed the spoofing to succeed.
Broad SPF records
One of the primary vulnerabilities was UPS's overly broad SPF record. Many organizations, especially large ones, include various third-party email service providers (ESPs) in their SPF records to authorize them to send emails on their behalf. In UPS's case, their SPF record included spf.protection.outlook.com. This specific entry essentially authorizes any IP address associated with Microsoft 365 to send mail for ups.com. Attackers leveraged this by sending emails through Microsoft 365, which then passed the SPF check because Microsoft's IPs were authorized. This highlights a common vulnerability, where organizations grant broad sending permissions to large providers, making it easier for malicious actors to hide within legitimate infrastructure.
Microsoft 365's domain verification process
A significant point of contention was Microsoft 365's domain verification process. Critics argued that Microsoft allowed users to configure Return-Path domains (envelope sender domains) that the customer did not legitimately own or control. This lack of strict enforcement meant that even if the From header was spoofed to a subdomain, the SPF check would pass against the main domain due to Microsoft's inclusion in UPS's SPF record. This effectively turned Microsoft 365 into an unwitting relay for the scammers, allowing them to send emails that passed SPF authentication for ups.com. This particular issue touches on broader security vulnerabilities within email systems.
DMARC relaxed alignment
The third critical vulnerability was the use of a relaxed DMARC alignment policy. DMARC requires either SPF or DKIM to align with the From header domain. With relaxed SPF alignment (p=relaxed), DMARC passes if the organizational domain of the Return-Path matches the organizational domain of the From header. In this scam, the Return-Path was something@ups.com (organizational domain ups.com), and the From was delivery-update.ups.com (also organizational domain ups.com). This allowed DMARC to pass, triggering the display of the BIMI logo and making the email seem fully legitimate. This weakness in DMARC's relaxed alignment meant that even with authentication in place, the emails could be spoofed in a convincing manner.
These issues collectively demonstrate that while SPF, DKIM, and DMARC are powerful tools, their effectiveness hinges on proper, strict configuration. A single weak link, such as an overly permissive SPF record or a relaxed DMARC policy, can undermine the entire authentication chain and open doors for sophisticated phishing attacks, as seen with the UPS scam. You can also explore why emails fail at Microsoft and how it relates to SPF.
Impact and lessons learned
The UPS SPF scam served as a stark reminder that even robust email authentication systems can be compromised if there are misconfigurations or if the systems interact in unexpected ways. This incident underscores the ongoing need for vigilance in email security and deliverability practices.
Increased focus on DKIM alignment
One of the key lessons from the UPS incident is the increasing importance of DKIM alignment over SPF for DMARC validation. While SPF checks the envelope sender, DKIM authenticates the content of the email itself via a digital signature. If the DKIM domain aligns strictly with the From header domain, it provides a stronger layer of security that is less susceptible to the type of SPF misconfiguration seen with UPS. Many in the industry are now advocating for stricter DMARC policies that require DKIM alignment for email to pass authentication, recognizing that SPF alone can be insufficient.
The incident also highlighted the critical role of DMARC. Moving from a p=none (monitoring) policy to p=quarantine or p=reject, particularly with a strict alignment requirement for DKIM, can significantly reduce the risk of such spoofing attacks. This ensures that even if SPF is inadvertently broad, unauthenticated emails (or those that pass SPF but fail DKIM alignment) are handled according to the sender's policy. Learning how to safely transition your DMARC policy is a crucial step.
The UPS scam underscores the need for continuous auditing of SPF records. Organizations should regularly review their SPF records to ensure they only include legitimate sending sources and do not inadvertently authorize broad ranges of IPs that could be exploited. This proactive approach helps in maintaining a secure email environment and protecting brand reputation from malicious actors who exploit even minor misconfigurations to launch phishing campaigns. It's a key part of understanding why email scams continue to work.
Strengthening your email defenses
Strengthening your email authentication is not just a technical task, it's a critical component of your overall cybersecurity strategy. The UPS SPF scam serves as a powerful reminder that attackers are constantly looking for weaknesses, and proactive measures are essential to safeguard your domain and protect your recipients.
Implement DMARC with strict policies
The most effective way to prevent similar spoofing attacks is to implement DMARC with a policy of p=quarantine or p=reject. This instructs recipient mail servers on how to handle emails that fail DMARC authentication for your domain. While p=none is useful for initial monitoring, moving to stricter policies ensures that unauthenticated emails are either moved to spam or rejected entirely. This limits the damage that can be done by malicious spoofing attempts.
Alongside DMARC, ensure your DKIM records are properly configured and aligned with your sending domains. DKIM provides a cryptographic signature that verifies the sender and ensures the email content hasn't been tampered with. It acts as a stronger identifier than SPF in many scenarios, especially when relaxed alignment for SPF might be necessary for legitimate sending paths. Having both SPF and DKIM properly set up provides a robust defense.
Review and refine SPF records
Regularly audit your SPF records to ensure they only include necessary sending sources. Avoid overly broad includes that might inadvertently authorize malicious sending. If you use third-party email services, verify their domain verification processes are strict. Additionally, consider if SPF flattening is beneficial for managing your record within the DNS lookup limit. Maintaining a lean and accurate SPF record reduces the attack surface for spoofing.
Views from the trenches
Best practices
Always aim for DMARC policies of `p=quarantine` or `p=reject` to ensure unauthenticated emails are appropriately handled by recipient servers.
Prioritize strict DKIM alignment (adkim=s) in your DMARC policy as it offers a more robust authentication mechanism than SPF.
Regularly audit your SPF records to remove any unnecessary or overly broad `include` mechanisms, thereby reducing potential attack vectors.
Educate your employees and customers on how to identify phishing attempts, even those with seemingly legitimate brand indicators.
Common pitfalls
Relying solely on SPF for DMARC pass with relaxed alignment, which can be exploited if the SPF record is too broad.
Failing to enforce strict domain ownership verification for `Return-Path` domains on third-party sending platforms.
Keeping DMARC at `p=none` indefinitely, leaving your domain vulnerable to spoofing without enforcement actions.
Ignoring DMARC reports, which provide crucial insights into legitimate and illegitimate email traffic from your domain.
Expert tips
Consider implementing DMARC on all your active domains, including those not actively used for sending email, to protect against brand impersonation.
Monitor your DMARC reports daily to quickly identify any unauthorized sending or potential spoofing attempts.
When selecting an ESP, inquire about their strictness in validating domain ownership for all email headers, including the Return-Path.
Stay informed about the latest email authentication best practices and evolving threat landscapes to adapt your defenses accordingly.
Expert view
Expert from Email Geeks says the UPS scam highlights how a brand with a BIMI Verified Mark Certificate and an overly broad SPF record could be exploited, especially when combined with a service allowing DMARC-protected emails to be relayed even when failing authentication.
2023-06-05 - Email Geeks
Expert view
Expert from Email Geeks says Microsoft is responsible for allowing customers to use domains that do not belong to them, leading to fraudulent email authentication.
