icon onderhoud icon incidenten
mobile-menu mobile-menu
menu

Those Darn SPF Records

Those Darn SPF Records

Those Darn SPF Records

There are quite a few misconceptions about these seemingly innocent little rules in your DNS zone. Every other week, we get calls from people who say they want to tackle their spam problem with an SPF record. They’ve heard through the grapevine that it’s a surefire spam killer. And then the SPF rule needs to be configured. The result? Sputtering mail servers and disrupted email flows.

So, what’s going wrong here? The problem starts with the word “spam.” What we really need to talk about is “spoofing.”

What is Email Spoofing

The email address used to send spam can easily be falsified. In principle, it can be anything the spammer wants. For example, they can effortlessly use your own email address as the sender.

This is because the SMTP protocol, by default, doesn’t include authentication or verification. For instance, with minimal effort, you could send an email with the sender address “president@whitehouse.gov.”

That email will arrive without a hitch—unless there’s an SPF record in the DNS zone of whitehouse.gov and the receiving mail server checks it after receiving the email.

What is SPF?

Sender Policy Framework (SPF) isn’t about stopping spam. It was developed to add a layer of security to the SMTP protocol. All it does is use a TXT record in the DNS zone to specify which mail servers are authorized to send email from your domain. This way, SPF ensures that “others” won’t receive spoofed spam from your domain(s).

It’s important to note that your SPF setup doesn’t impact spam or emails sent to you.

What Are the Benefits of SPF?

Other mail servers can consult the SPF record to determine whether an email that appears to come from you actually originates from your mail server. If not, it’s a case of email spoofing, and the email can be filtered.

In this way, an SPF record makes it harder for spammers to spoof your email address (note: harder, not impossible!). You might also receive fewer “bounce back” emails from spam sent from one of your email addresses to an invalid address.

In principle, this works well, but there are also downsides to SPF setups.

What Are the Downsides of SPF?

First, it doesn’t stop spam. It only addresses spam from spoofed email addresses. SPF is nothing more than an anti-spoofing measure.

Even then, it’s relatively easy to craft an email in such a way that the SPF check becomes irrelevant, allowing the spoofed email to slip through.

Additionally, SPF isn’t a global standard. Not all mail servers check for SPF records, meaning those servers will simply accept spoofed emails.

Moreover, SPF syntax can quickly become complicated when dealing with remote workers or telecommuters—people who send emails from home via their ISP’s SMTP server. Each individual IP address used by every remote worker would need to be included in the SPF record, which can quickly become unmanageable.

Another issue BIT often sees with SPF requests is the use of the ~all (softfail) parameter in the syntax. In short, this parameter allows emails from other sources to be accepted but with a caveat. This effectively renders the SPF rule redundant; emails that receive a softfail aren’t automatically dropped but are marked. These emails can then potentially be filtered as spam at the client level (by the recipient) based on the marking.

The softfail function is intended to test your SPF record and gather all possible mail servers. If you know that all your emails truly only come from the specified IP addresses, then -all is the only correct parameter. If you allow emails through with a softfail, the recipient might receive a lot of spam from a spoofed address and subsequently see your mail domain as untrustworthy—softfail or not.

Another problem is that SPF makes email forwarding more difficult. When forwarding an email, the original sender address is preserved, but the email is sent from a different mail server. During an SPF check, the forwarded email will be blocked.

Finally, SPF isn’t very user-friendly. A small mistake in your SPF configuration can result in valid emails being blocked. In short, it’s crucial to understand how your mail setup works and how email protocols function.

What Do We Think About SPF?

At BIT, we’ve observed that even with SPF records in place, spoofed emails can still get through. It’s also common for legitimate emails to be blocked, prompting people to relax the SPF syntax to the point where it becomes ineffective. In our view, the impact of an SPF record is minimal, and it’s often mistakenly seen as a solution to spam.

By: Justin Rondeboom