Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1405 Views 4 Replies Latest reply: Jan 21, 2013 7:57 PM by strongmantech RSS
strongmantech Newcomer 8 posts since
Dec 5, 2012
Currently Being Moderated

Dec 7, 2012 9:51 AM

SPF and the lack of adoption

Per Wikipedia, Sender Policy Framework (SPF) is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.

 

I am all for SPF records. I set them up on all my clients domains, and review them when changes are made to their public IP addresses or mail server add/moves/changes.

 

Though, when I turned a clients SPF validation to Deny mail when it fails validation, or when there is no SPF record, 85% of all valid emails got rejected.

 

Why? Because most companies, including very large ones with full IT staffing and email administrators, fail to maintain their SPF record.

 

We had to turn off the Deny when you don't have an SPF, which I don't like. And I'll get a random call that emails were bounced back with "SPF Validation Failed" on the NDR. One administrator said they didn't have an SPF. Doing 1 minutes of research on their domain, I found the SPF and read it to them. It was wrong.

 

I highly recommend SPF for your organization. It prevents spammers from sending emails on your behalf, relaying them from unsecured email servers. Caveat is that the receiving party is checking for a valid SPF.

 

To see if your SPF is valid, either check what is listed on your domain, or use either of these free tools:

http://www.kitterman.com/spf/validate.html
http://mxtoolbox.com/spf.aspx

 

To help form a valid SPF, go to http://www.openspf.org. Unfortunately, they no longer have the SPF wizard to create it for you.

  • Brad McGarr McAfee Employee 154 posts since
    Dec 4, 2012
    Currently Being Moderated
    1. Dec 7, 2012 12:24 PM (in response to strongmantech)
    Re: SPF and the lack of adoption

    Greetings Tom,

     

    Thank you for your post. It certainly is highly recommended that all Email and Domain Administrators adopt authentication technologies including SPF and DKIM. As more organizations begin requiring these authentication technologies out of their senders, I personally have a feeling that SPF and DKIM adoption and accuracy will increase. Thanks for doing your part of keeping your SPF records accurate and advocating it's use. If you haven't also invested DKIM, I highly recommend that as well.

     

    Sincerely,

     

    Brad M.

    McAfee SaaS Email & Web Security


    Brad McGarr
    McAfee SaaS Email & Web Protection
    Technical Support Technician I (Legacy & Partner Support)
    Microsoft Certified Professional
    Microsoft Technology Associate - Windows OS | CompTIA A+ Certified Technician | CIW Web Foundations Associate
    Visit my blog: Brad's Corner - Insights from SaaS Email & Web Security Support https://community.mcafee.com/blogs/brad-denver

    Frequently Requested Information
  • pm_nate McAfee Employee 17 posts since
    Dec 6, 2012
    Currently Being Moderated
    2. Dec 17, 2012 6:07 PM (in response to strongmantech)
    Re: SPF and the lack of adoption

    Nice write up Tom. We've done a lot in the past year to increase the use of SPF, TLS, and DKIM. We support enforcement of all these items on inbound policies and there is an option that you might like: You can enforce SPF, TLS, and DKIM on specific domains...I highly recommend doing this for the major financial institutions, who have actually done a great job of implementing and maintaining SPF and also with your trusted business partners.

     

    To take it a step further, the SPF and DKIM features can also tag subjects which helps train you where you can and can't implement strict enforcement. Of course, this is all found in the service under inbound policies > email authentication.

     

    Also, here's a link to download a webinar I recently did on email authentication techniques like SPF and DKIM. SPF is pretty good in today's world but quickly becoming obsolete because it is IP based and most hosted email platforms share IP addresses amongst perhaps thousands of different customers, making it impossible to tell one sender from another on these platforms. For more info, check out the webinar!

     

    http://events.mcafee.com/forms/12Q4NetworkEmailOstermanWebcastDec12

     

    Nate

     

     

    The information contained in this post is for informational purposes only andshould not be deemed an offer by McAfee or create an obligation on McAfee. McAfee reserves the right to discontinue products at any time, add or subtractfeatures or functionality, or modify its products, at its sole discretion,without notice and without incurring further obligations.

  • dukebox Newcomer 13 posts since
    Jul 9, 2012
    Currently Being Moderated
    3. Jan 14, 2013 5:24 PM (in response to pm_nate)
    Re: SPF and the lack of adoption

    Great post!

     

    We encourage all our clients and partners to use SPF/DKIM  which make our life easier and more effective in detecting and blocking spam.

     

    The problem lie to the fact that the email administrators are not aware their SPF is wrong (or not authorized) until it is being reported by their users. The new propose DMARC (Domain-based Message Authentication, Reporting & Conformance), if becomes widely accepted, supported and deployed is supposed to remediate this problem.

     

    So I do not agree with that assertion : very large [companies]  with full IT staffing and email administrators, fail to maintain their SPF record.

     

    I would say your assertion is right related to SMB ; they failed to maintain their SPF/DKIM record. 

     

    The problem with large corporations are more related to those hosted and cloud services that every departments want to use..and most of the time, without advising their IT department...either because of lack of knowledge or procedure.

     

    So we end up with emails being bounce back or drop because we validate SPF/ DKIM record...and ...it happen to the best

     

    On two different occasions, with a reputated security company which start with a red M and is a 6 letter name... we had issue receiving some email invitations confirmations ;  On those two occasions, email were sent on behalf of @M????E.COM from an external hosted service provider which was use to manage those invitations.

     

    I am pretty sure that in those circumstances, it was the marketing department that had decided to use this external service and never IT staff was involved....So the real problem is to enforce our corporate policies in regards of email usage accross our company...Hopefully DMARC would report right away any issue...but will never force company policies to those end users..mostly marketing folks

     

    on 1/14/13 5:24:33 PM CST

More Like This

  • Retrieving data ...

Bookmarked By (0)