How SPF Records Prevent Email Spoofing, Phishing, and Spam


Organizations have every right to be concerned about the relentless flood of unwanted email, but it wasn’t until a decade ago that emerging standards for combating spam, phishing and other Malicious emails have emerged to give strong defenses to emails. -sending organizations.

Sender Policy Framework (SPF) is one of three Internet standards for email authentication that help organizations combat email fraud, spam, phishing, and other attacks that rely on falsification of emails. SPF is designed for use with the DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) protocols. SPF provides email senders with a toolkit to prevent unauthorized users from using their domain to send forged or spoofed emails.

The problem of email security

Simple Mail Transfer Protocol (SMTP) is how all Internet email has passed from sender to recipient since 1982, when the protocol was specified in RFC 821. SMTP offers no security features, but relies on other protocols for email security. For example, encrypting email transfers involves enabling TLS on the email server.

However, none of the standard mail protocols provide mechanisms to validate whether a server is authorized to send mail on behalf of the mail-sending domain. Emails may be encrypted when transferred between email servers, but this does not assure recipients that email purporting to be from a legitimate organization is being sent by that organization.

To further complicate the issue, any email validation tool should not negatively affect email deliverability. Whatever mail-sending organizations do to protect against email tampering, they must be implemented in a way that keeps email flowing and does not affect the delivery of legitimate messages.

Threats from unauthenticated emails

When all emails are treated as if they were legitimate, which happens when no email validation or authentication protocol is used, this opens the door to several types of attack:

  • spam is spam. Spammers send emails for many reasons, sometimes to promote an otherwise legitimate product. But, more often than not, it involves promoting scams, gathering information, or attacking an organization’s email infrastructure with the aim of disrupting email services.
  • Usurpation is a technique that attackers use to convince the recipient that their messages are sent by someone other than the apparent sender. Email spoofing is a common part of business email compromise and whaling attacks.
  • Phishing is a type of email attack that aims to manipulate recipients into taking actions that further the attacker’s goals.

The combination of these protocols significantly reduces email threats. SPF works best when email receiving entities perform an SPF check on the domain owner or email service provider that sends email on behalf of a domain owner.

What is FPS?

The SPF protocol is defined in RFC 7208, Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. SPF, along with DKIM and DMARC, make up the three protocols that, when used together, provide the method of most important email authentication. to protect against spam, spoofing and phishing. They provide email sending organizations with a set of tools to do the following:

  • identify mail servers authorized to send mail for a domain, subdomain, or hostname, using SPF records;
  • include a digital signature in the header of outgoing messages, using DKIM records; and
  • use DMARC to tell a receiving mail server how to handle emails from a domain or hostname when they are received from an unauthorized server or when the digital signature fails authenticate.

All three of these protocols use DNS TXT records to store information about which mail servers serve a domain, how emails from those servers can be authenticated, and what to do when emails are received from unauthorized servers or when messages fail to authenticate.

Setting up a DNS record for email authentication using one of these protocols is usually done by domain administrators. Email recipients can perform an SPF check on incoming emails to determine if legitimate emails are being delivered. The SPF check is performed using a DNS lookup, which verifies that there is an SPF DNS TXT record and validates that the email was sent from a legitimate mail server.

How does SPF protect against spam and phishing?

SPF is the first leg of the tripod upon which email authentication protocols are based. Along with DKIM and DMARC, these three protocols give organizations receiving email the information they need to prevent spoofing, spam, and phishing. They solve the following problems:

  • Who is authorized to send email for a domain? SPF records identify the domain names and IP addresses of mail servers authorized to send mail for the associated domain.
  • What to do when an email is sent from an unauthorized domain? DMARC records specify what to do with an email sent from an unauthorized mail server based on the domain’s SPF record.
  • How can individual email messages be authenticated? DKIM records provide a public key, which allows email-receiving organizations to authenticate individual emails.

When an email-sending organization publishes its DNS SPF record, it provides email-receiving organizations with a simple tool that can flag emails for potential spam, spoofing, and other attacks. identity and phishing.

Since these records are all forms of the basic DNS TXT record, knowing how to add a DNS TXT record is a big part of the process of creating any SPF, DKIM, or DMARC record.

SPF works when an email server receives messages from an email sender. If the receiving server supports SPF, it queries DNS for the domain specified in the way back address in the message header. The query is for the SPF record, which indicates authorized mail servers; if the mail server that sent the message is in the SPF record, the message is authenticated by SPF.

FPS Implementation

Individuals or small organizations that receive email through email service providers should check with their providers to ensure that their email servers implement SPF. Most major email service providers currently use SPF, DKIM, and DMARC to reduce email spoofing, spoofing, and other malicious emails.

Domain owner organizations that wish to implement SPF should consider a phased deployment of SPF, DKIM, and DMARC together. To support these protocols, the domain owner must do the following:

  • publish DNS TXT records for each protocol; and
  • configure mail servers to accept and act on email authenticated using these protocols.

SPF works best when deployed with DMARC, which publishes policies set by the domain owner for unauthenticated emails sent from the domain. Without DMARC, the receiving organization may have their own policies in place on how to handle unauthenticated email. However, if a message fails SPF authentication, the receiving server also queries the domain for a DMARC record to find out what action the domain owner wants recipients to take in this case.


Comments are closed.