SECURITY RESEARCH, SITE UPDATES |

SPF Checked – a look at the Sender Policy Framework

Heard of SPF but not sure how to pass an SPF check? Lets get back to basics and have a quick look at the SPF DNS record that can make your email delivery more reliable and less likely to hit the spam folder.

What is SPF?

An SPF record is a DNS TXT record that contains the IP addresses of the servers that are permitted to send email for a domain. My domain hackertarget.com wants to send email to people all around the world when they sign up for services. By setting the SPF record I have indicated that only my servers and Google servers are allowed to send email on my behalf.

Google mail servers are included in my SPF record as I use Google Apps for as an email client for support operations.

Lets take a look using the DNS lookup tool dig. On Windows you could use the nslookup tool, just remember to set the type to TXT.

dig -t txt hackertarget.com

; <<>> DiG 9.9.2-P1 <<>> -t txt hackertarget.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26126
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;hackertarget.com.		IN	TXT

;; ANSWER SECTION:
hackertarget.com.	3593	IN	TXT	"v=spf1 include:_spf.google.com ip4:178.79.163.23 ip6:2a01:7e00::f03c:91ff:fe70:d437 ~all"

;; Query time: 150 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Tue May 21 22:06:31 2013
;; MSG SIZE  rcvd: 289

Ok, there is a bunch of info in the output - we are focusing on the TXT record in the ANSWER section. Here's a quick tip for dig users, add +short to clean up that output.

dig +short -t txt hackertarget.com
"v=spf1 include:_spf.google.com ip4:178.79.163.23 ip6:2a01:7e00::f03c:91ff:fe70:d437 ~all"

The TXT record shows that _spf.google.com and my IPv4 and IPv6 addresses are the only ones allowed to send email that originates from @hackertarget.com addresses. Having ~all on the end of the record indicates that email from other servers should still be accepted but it will be given a weighting that indicates it could be spoofed. The server accepting the email has to have SPF in place as part of its mail filtering. So the weighting could result in added points in a spam assassin server as an example.

If you use Gmail, check the headers of any email going into Gmail, you will notice Google is performing SPF checks on incoming email. It uses the SPF check as one part of its spam parsing algorithm.

What is the advantage of an SPF Check?

As I have mentioned SPF checks can be used as a factor in assessing spam. A spammer will send thousands of messages with a forged SMTP header pretending to be a legitimate email account. With a SPF check email from your domain and from your servers are marked as legitimate, while others are either blocked or flagged as possibly suspicious.

It is a similar case for spear phisherman who can send a forged email pretending to be someone in your organisation to another with the aim of getting them to click on a malicious link or document. An SPF check will reduce the likelihood of the email reaching the victims Inbox.

Things keep in mind when implementing SPF records

  • It is free to add it to your domain, simply add a TXT record to your DNS.
  • Having it is a good idea, your email will be more likely to be accepted by SPF enabled email servers and not put in the spam folder. Both Microsoft and Google are using SPF as part of email delivery for Outlook.com and Gmail respectively.
  • There is a gotcha when it comes to email forwarding, if you forward email from external parties to another mail service (such as Gmail), the original sender information stays intact but since your server that is forwarding the mail is not in the SPF record for that external mail then the destination server may give the forwarded message an SPF Fail.
  • IPv6 - don't forget to add it to your SPF record if you have it enabled. While we have IPv6 up on HackerTarget.com for the web site, I discovered that email to Gmail was also going out via IPv6. Hence the addition of our IPv6 address to the SPF TXT record
Get more information from the Send Policy Framework Wikipedia page.