E-Mail Security with SPF

(Last Updated On: 2019-02-28)

Email is one of the most used applications for Communication today. So how the fluke do you secure it.
Well, this is the task I had to go and find out this week after receiving some potentially very destructive phishing emails, the emails looked so real that if the user did not pick up slight changes in the mail we would have had a hefty price to pay.

There are three Technologies which I found can assist very quickly with this:

  1. SPF
    This Validates the Server Sending the Email
    Can improve mail deliverability on Corporate Domains
  2. DKIM
    This checks if the mail was tampered with prior to receiving it
  3. DMARC
    This is a combination of both above-mentioned protocols

Let’s Kick off with SPF

Sender Protocol Framework is a method of checking if the server that is sending the mail has permission from the domain to send the mail. This does not stop the mail from being sent it just marks the mail as Authorized or not Authorized.

It is Important to note there are two sides to this:

  1. The Sending Domain must make sure their mail servers are Authorized to send mail
  2. The Receiving Domain can choose what to do with the mail depending on the Verification Result

So how does this work?

The Sending Mail Server has an IP address of 1.2.3.4 once the mail server sends out the mail it has something called an Envelope Header this contains various data for the mail to be sent. The Receiving Server uses this to extract the return-path, from the return path it takes the domain section and queries for a TXT Record for the SPF Records. The Originating IP gets validated against this record and a Verification code then gets generated where the receiving server can decide what to do with the mail.

SPF

What type of Verification Result is generated?

CodeDescription
NoneNo Record Exist
NeutralDomain owner does not want to give the IP address which is Authorized
PassAll  records are found and validated
FailIP Address does not have permission from the domain
SoftfailThe IP address might be authorized
TempErrorAn error occurred while doing the SPF check
PermErrorThe record is present but there is something wrong with it

 

How Do You Setup SPF

To Setup SPF for your Domain sending is quite easy. You Log onto your CPanel where your DNS is hosted. Within the DNS Section first, check if you do not have an existing SPF if not add a TXT Record and Populate it with the correct Data.

The Data

For all the Information on how the SPF Records can be populated yo,u can browse the following link http://www.openspf.org/

The Way that I read it is to read it like you would read a sentence. As an Example take the below SPF Record. I know it sounds simple but it makes sense if you get confused on the syntax.
Very important the “All” is Always last in the Syntax.

TXTv=spf1 include:spf.protection.outlook.com –all

This basically reads:

v=spf1Use SPF Version one
Include:spf.protection.outlook.comInclude these servers as authorized servers
-AllAny Other Servers is not allowed

By Default, if there is no Mechanism in front of any other Mechanism it uses “+”
The four basic Mechanisms are:

“+”Pass
“-“Fail
“~”SoftFail
“?”Neutral

There are tools available if you need assistance to with creating or Testing SPF.
Check the Syntax is correct: https://www.kitterman.com/
Build SPF Syntax: https://www.spfwizard.net/
Check Domain Health for Errors: https://mxtoolbox.com/

Receiving Mail with SPF

This is dependent on the exchange server you are running if it accepts SPF or not. Most Corporate environment should have this in place. This is where you receive the Verification result back and you can choose what to do with mail received. For your public domain like Gmail yo,u should see a big question mark on any mail that is suspected. This won’t be blocked but notification will be raised.

An Example would be:

NoneTake No Action
NeutralTake No Action
Soft FailAccept but check Spam Filtering
Hard FailReject
PermErrorAccept but check Spam Filtering
TempErrorAccept but check Spam Filtering

This is actually a very simple way to make sure your mail gets through to other corporate environments as well as blocking any potential harmful mail.

If you liked what you read Please Share.

I’d love it if you followed me on Twitter and Facebook.

Also, feel free to subscribe to my posts by email. Thanks for reading.

Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *