Hello DenBesten,
Thank you for your reply.
Yes, I can confirm that we are indeed receiving emails where the visible sending domain is bitwarden.eu (both in the From header and in the return-path / MAIL FROM).
For example:
Date: 18/11/2025 – 15:39:42
Subject: “New Device Logged In From Chrome Extension”
From: no-reply@bitwarden.eu (0107019a97683c5c-a9d0fd82-481d-4a60-95c5-b9ea9f1af240-000000@mailses.bitwarden.eu)
IP: 54.240.99.95
Result: SPF FAIL
For bitwarden.eu, the SPF record does not authorize any IP addresses:
This is precisely the core of the problem: the bitwarden.eu domain is configured as a domain that should not send any emails (v=spf1 -all), and yet emails are being sent using this domain.
This is not an issue for emails sent from the bitwarden.com domain, as the SPF records for bitwarden.com are correctly configured:
v=spf1
include:spf.braintreegateway.com
include:_spf.google.com
include:amazonses.com
include:_spf.freshsales.io
include:22371289.spf07.hubspotemail.net ~all
Example:
Date: 23/11/2025 – 16:16:06
Subject: “Support”
From: support@bitwarden.com (0107019ab1495900-f1b5deb2-93c1-45d4-adc4-6bfcfcbf71f6-000000@mailses3.bitwarden.com)
IP: 54.240.99.95
Result: SPF PASS — IP address 54.240.99.95 is included in the amazonses.com SPF range (54.240.64.0/18).
I fully agree with your analysis: from a DNS and security policy standpoint, bitwarden.eu is clearly configured not to participate in email sending, which is exactly why these messages are being rejected on our side.
This means that either:
-
No emails should ever be sent from this domain, or
-
The SPF/DMARC configuration of bitwarden.eu is incorrect compared to its actual usage.
At this stage, Bitwarden support claims that their configuration is correct and refuses to make any changes, which is why I opened this discussion here.
Thank you again for your analysis, which fully confirms our security concerns.
Best regards,
Benjamin