Per Wikipedia, Sender Policy Framework (SPF) is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.
I am all for SPF records. I set them up on all my clients domains, and review them when changes are made to their public IP addresses or mail server add/moves/changes.
Though, when I turned a clients SPF validation to Deny mail when it fails validation, or when there is no SPF record, 85% of all valid emails got rejected.
Why? Because most companies, including very large ones with full IT staffing and email administrators, fail to maintain their SPF record.
We had to turn off the Deny when you don't have an SPF, which I don't like. And I'll get a random call that emails were bounced back with "SPF Validation Failed" on the NDR. One administrator said they didn't have an SPF. Doing 1 minutes of research on their domain, I found the SPF and read it to them. It was wrong.
I highly recommend SPF for your organization. It prevents spammers from sending emails on your behalf, relaying them from unsecured email servers. Caveat is that the receiving party is checking for a valid SPF.
To see if your SPF is valid, either check what is listed on your domain, or use either of these free tools:
To help form a valid SPF, go to http://www.openspf.org. Unfortunately, they no longer have the SPF wizard to create it for you.
Thank you for your post. It certainly is highly recommended that all Email and Domain Administrators adopt authentication technologies including SPF and DKIM. As more organizations begin requiring these authentication technologies out of their senders, I personally have a feeling that SPF and DKIM adoption and accuracy will increase. Thanks for doing your part of keeping your SPF records accurate and advocating it's use. If you haven't also invested DKIM, I highly recommend that as well.
McAfee SaaS Email & Web Security
Nice write up Tom. We've done a lot in the past year to increase the use of SPF, TLS, and DKIM. We support enforcement of all these items on inbound policies and there is an option that you might like: You can enforce SPF, TLS, and DKIM on specific domains...I highly recommend doing this for the major financial institutions, who have actually done a great job of implementing and maintaining SPF and also with your trusted business partners.
To take it a step further, the SPF and DKIM features can also tag subjects which helps train you where you can and can't implement strict enforcement. Of course, this is all found in the service under inbound policies > email authentication.
Also, here's a link to download a webinar I recently did on email authentication techniques like SPF and DKIM. SPF is pretty good in today's world but quickly becoming obsolete because it is IP based and most hosted email platforms share IP addresses amongst perhaps thousands of different customers, making it impossible to tell one sender from another on these platforms. For more info, check out the webinar!
The information contained in this post is for informational purposes only andshould not be deemed an offer by McAfee or create an obligation on McAfee. McAfee reserves the right to discontinue products at any time, add or subtractfeatures or functionality, or modify its products, at its sole discretion,without notice and without incurring further obligations.
We encourage all our clients and partners to use SPF/DKIM which make our life easier and more effective in detecting and blocking spam.
The problem lie to the fact that the email administrators are not aware their SPF is wrong (or not authorized) until it is being reported by their users. The new propose DMARC (Domain-based Message Authentication, Reporting & Conformance), if becomes widely accepted, supported and deployed is supposed to remediate this problem.
So I do not agree with that assertion : very large [companies] with full IT staffing and email administrators, fail to maintain their SPF record.
I would say your assertion is right related to SMB ; they failed to maintain their SPF/DKIM record.
The problem with large corporations are more related to those hosted and cloud services that every departments want to use..and most of the time, without advising their IT department...either because of lack of knowledge or procedure.
So we end up with emails being bounce back or drop because we validate SPF/ DKIM record...and ...it happen to the best
On two different occasions, with a reputated security company which start with a red M and is a 6 letter name... we had issue receiving some email invitations confirmations ; On those two occasions, email were sent on behalf of @M????E.COM from an external hosted service provider which was use to manage those invitations.
I am pretty sure that in those circumstances, it was the marketing department that had decided to use this external service and never IT staff was involved....So the real problem is to enforce our corporate policies in regards of email usage accross our company...Hopefully DMARC would report right away any issue...but will never force company policies to those end users..mostly marketing folks
on 1/14/13 5:24:33 PM CST
I did not mean to offend any large business. With over 10 years in the large corporate world, including American Express HQ, Chase Manhattan Bank HQ and Kaiser Permanente - San Diego, I understand how difficult it is to maintain valid SPF records.
It just my experience over the past few months of fielding calls why emails are getting bounced, that from the small to the large, there are many organizations who don't ever look at SPF. One recently was a large organization that, when I told them the ip addresses on their existing SPF, the respose was "We haven't had those public IP's in years."
I wish the goverment agencies/ISP's would help us fight spam, and better regulate some sort of sender validation. Ah, wishful thinking for a better, spam-free tomorrow!!!