SPF configuration: common errors and how to avoid them

Mistake # 1: Misunderstanding of the real protection provided by SPF

SPF is a DNS record utilized to specify the systems authorized to send emails with a "Return-Path" email address that matches the domain where the SPF record is configured.

broken image

The "return path" email address refers to the address designated to receive a notification, known as an "NDR: Non-Delivery Report," in the event that an email fails to reach its intended recipient.

Configuring SPF helps to prevent your employees' email addresses from being inundated with "NDR" emails when an attacker sends emails using a "Return-Path" email address that matches your employees' email addresses.

This Return-Path email address may not be equal to the email address displayed in the "From" field of the recipient's email client.

Therefore, implementing an SPF record (without a DNS DMARC record configured in blocking mode) alone does not protect against spoofing of your email addresses.

If you want to stop spoofing of your email addresses: implement DMARC in addition to SPF.

Error # 2: Incorrect SPF configuration impacting email deliverability

The configuration of an SPF record remains a good security practice and also allows you to increase the deliverability of the emails you send.

It is therefore essential to configure an SPF record on your domain in order to reduce the chances that your emails will be qualified as "spam" by the anti-spam solutions of your recipients (e.g.: proofpoint, gmail, symantec, o365, etc.).

There are various DNS mechanisms available to specify the IPs of authorized systems for sending emails with a "Return-Path" email address associated with the domain. However, improper usage of these mechanisms can sometimes result in exceeding the limitations imposed by the SPF protocol (such as the size of the SPF record, exceeding the maximum number of DNS lookups, having more than two unresolved DNS lookups, etc.) which can ultimately affect the deliverability of your emails.

Using overly large IP spaces for your domain in the SPF record can result in your domain's SPF reputation being discounted by the Google spam filter. It is recommended to use a custom value that includes only the necessary IPs.

Recognizing that an SPF record requires careful consideration and validation after each modification, we have created the "SPF checker tool." This tool will assess your SPF field and alert you if there are any errors in your SPF record or if it can be further optimized or simplified.