I've just set up sending emails from my domain with Google workspace, and have just learned about SPF, DKIM, and DMARC. I'm wondering, what use is SPF in the modern internet. Probably half the internet is already sending emails from a google IP address, and if they aren't it's trivial for them to start. And as I understand it, DMARC passes if SPF or DKIM pass, which only makes it as strong as the weaker of the two.
What am I missing here? Thanks.
If you have just finished setting up your domain on google, then you will have noticed that part of the setup process involves verifying that you own the domain. Until that step is complete, you would not have been able to send messages out from your account using that domain.
When you add google's IPs to your SPF record, you are trusting them to ensure that only accounts associated with your workspace are permitted to use your domain. There are some possible vectors around message forwarding, but if you have DMARC properly configured google won't accept a spoofed message in the first place, so it won't forward it anywhere.
You state that "if they aren't it's trivial for them to start [sending emails from a google IP]", while this is true, it is NOT trivial for them to start sending emails from a google IP with your domain in the from field. That can't be done until after the sending workspace has verified ownership of the domain.
Essentially you are building a chain, DMARC ensures the from address matches the envelope address (or the message is signed, which isn't relevant to this discussion), SPF ensures that the envelope address was used by an approved server, and Google's internal security systems ensure that servers only send messages where the address matches an approved domain for the sending user.
I agree that half or more of worldwide email is probably sent through shared infrastructure, including ISPs, freemail providers (Google, Yahoo, and Microsoft), and multi-tenant cloud providers (especially the corporate options from Microsoft and Google).
As the Forward Pass paper proved, SPF does not work with shared infrastructure. It does, however, work fine with dedicated IPs. This can alleviate the need to set up DKIM on a less important (but still secured) server that just sends mail with cron jobs and other operational contexts.
I suggest an SPF record like v=spf1 a:www.example.com ?include:_spf.google.com ~all where www.example.com is a (non-shared!) non-mail server that happens to send some cron jobs but doesn't have DKIM set up. The entry's ?include means its included entries are SPF-neutral (not passing, not failing). Anything sent through Google should be DKIM-signed, so it should pass DMARC just fine—but don't forget to verify that before enabling a DMARC p=reject policy!
(Having an empty SPF record, or worse, one that denotes the shared infrastructure you've intentionally omitted should be failed or soft-failed, is harmful to your ability to deliver mail. I do not recommend those paths.)
?include, that's a good one to know