Missing/insufficient SPF record

When a domain lacks an SPF policy, an attacker is able to send spoofed emails that look like they’re originating from the vulnerable domain.

What can happen?

Spoofing can be used to trick people into giving up sensitive information and spreading false information that may damage the reputation of the vulnerable part. Read more on our blog.

Keep in mind…

Employing an SPF policy could result in some legitimate emails being rejected if they are automatically forwarded by old mail servers that haven’t yet implemented mitigations for this. If this is a considered a greater problem than spoofed emails, a very strict SPF policy may not be the best solution. However, this is so rare that we still recommend the use of SPF, but it still needs to taken into consideration.

Remediation

The first step is to compile the appropriate SPF policy and to do that, you need to read the document about the syntax of SPF which can be found here: http://www.open-spf.org/SPF_Record_Syntax/

If you use one of the most common email service providers, you can just use one of the SPF policies listed below:

  • Outlook: v=spf1 include:spf.protection.outlook.com -all
  • Zoho: v=spf1 mx include:zoho.com -all
  • AOL: v=spf1 ptr:mx.aol.com -all
  • Inbox: v=spf1 ip4:33.34.35.0/24 include:inbox.com -all
  • CounterMail: v=spf1 mx -all
  • Hushmail: v=spf1 ip4:65.39.178.0/24 a mx -all
  • Google: v=spf1 include:_spf.google.com -all

Some email service providers recommend the use of softfail (~all) instead of hardfail (-all). That makes SPF less effective, and is therefore not a solution we would recommend.

If no emails are sent from the domain (this is easily changed if you want to start to send emails in the future), a simple SPF policy that disallows all emails is recommended:

v=spf1 -all

To fully implement your SPF policy, there is only one step left, adding it to the DNS record for the domain. Log in to control the name server. If you don’t know where that is, the default name server from the domain registrar (such as GoDaddy and NameCheap) is probably used and that is where you should log in to manage the DNS records.

A TXT record should now be added with the value of the selected SPF policy. In many cases, the SPF policy needs to be placed within quotes.

Don’t hesitate to contact us if something is unclear or you'd like to verify that everything is set up correctly! Contact us at [email protected].


Read more

Detectify blog: Misconfigured email servers open the door to spoofed emails from top domains 

Resources

Related articles