Over the last few years, spfXio.com has analyzed and monitored email security configurations for over 40,000 domains.  Our evaluation uses information publicly available through the Domain Name System (DNS) with a focus on Sender Policy Framework (SPF)  and Domain-based Message Authentication, Reporting & Conformance (DMARC) records.  SPF and DMARC records are used by email receivers to authenticate received messages.  Properly configured, these records improve email delivery while protecting against spoofing attacks.

Through our research, we’ve identified the following as common SPF configuration weaknesses that increase the likelihood of successful email spoofing and impersonation, or could negatively impact delivery of emails sent by your domain.   Take a quick read to see if any of these issues may be plaguing your organization’s SPF Record.

 Is your domain at risk?  Get a free analysis using our Domain Inspector today!

Too Many Lookups

SPF standards limit the number of DNS lookups resulting from an SPF evaluation to no more than 10.  SPF evaluations exceeding this limit generate a Permanent Error result, which is treated by receiving email gateways as though no SPF policy is published.  Exceeding the 10 lookup limit renders your SPF record useless and opens opportunities for hackers and cybercriminals to effectively send emails impersonating users on your domain.  

 

Multiple SPF Records Published

Many domains publish more than one SPF record.  Publishing more than 1 SPF record causes confusion for the receiving email system, and generates a Permanent Error  result.  As with Too Many Lookups, this result renders your SPF record useless  and opens opportunities for hackers and cybercriminals to effectively send emails impersonating users on your domain. 

 

Inadequate Default Policy

SPF Records are evaluated from left to right, as you would read this sentence.  Most often, we see SPF records terminated with a configuration that returns Fail or Soft Fail result for any senders not matched elsewhere in the record.  Unfortunately, we see a statistically significant percentage of SPF records configured to return a Neutral result.  A Neutral result means the email domain makes no assertion as to a sending systems authorization for sending email on behalf of that domain.  In rare and dangerous cases, we detected default configurations returning a Pass result, essentially authorizing every system on the internet to send email on behalf of the domain (We tried contacting you, but you haven’t returned our calls; if you are reading, please get in touch with us now!) 

 

No Policy Published

Nearly one-third of domains in our evaluation did not publish an effective SPF record, and over one-half did not publish a DMARC policy.  Lack of a published SPF record provides receiving email gateways with no information as to which systems are authorized to send email on behalf of the domain; hence, delivery is informed only through filtering logic implemented by the email receiving platform.  Domains not publishing a valid DMARC policy are blind as to which systems are actually sending emails on their behalf.  Furthermore, these domains enjoy no influence over receiving email gateways to instruct emails be rejected or quarantined for DMARC failed emails. 

 

Infinite Includes

A SPF record that references itself in an include statement creates an infinite loop, resulting in exceeding SPFs 10 lookup limit.  If you have a record that does this, you may be able to improve  your SPF control simply by removing the cyclic include reference. 

 

These are a few common configuration issues that increase likelihood of successful email spoofing and impersonation attacks against your domain.  Although seemingly straightforward, there are several challenges organizations encounter when moving from their current state to a modern and strengthened configuration, including legacy system references, evolving third-party dependencies, fear of breaking email, or even in-house expertise.  In these cases, it may be both cost and time efficient to engage a third-party that provides tooling, dedicated resources, and expertise as a managed service.   

 What should I do?

Every improvement begins with understanding your current state.  Now would be a good time to take advantage of our free Domain Inspector for a personalized analysis of your domain’s SPF and DMARC records.  Book a free consultation with one of our experts and let us walk you through your results, explain identified issues, and provide guidance for improvement.