SPF configuration: common errors and how to avoid them

Mistake # 1: Misunderstanding of the real protection provided by SPF

SPF is a DNS record used to reference systems authorized to send email with a "Return-Path" email address equal to the domain on which the SPF record is configured.

The return path email address is the address that is configured to receive a notification called "NDR: Non Delivery Report" when an email has not been delivered to the recipient.

Therefore, configuring SPF prevents your employees' email addresses from receiving a barrage of "NDR" emails when an attacker sends emails with a "Return-Path" email address identical to your employees' email addresses.

This Return-Path email address may not be equal to the email address displayed in the "From" field of the recipient's email client.

Therefore, implementing an SPF record (without a DNS DMARC record configured in blocking mode) alone does not protect against spoofing of your email addresses.

If you want to stop spoofing of your email addresses: implement DMARC in addition to SPF.

Error # 2: Incorrect SPF configuration impacting email deliverability

The configuration of an SPF record remains a good security practice and also allows you to increase the deliverability of the emails you send.

It is therefore essential to configure an SPF record on your domain in order to reduce the chances that your emails will be qualified as "spam" by the anti-spam solutions of your recipients (e.g.: proofpoint, gmail, symantec, o365, etc.).

Many "DNS mechanisms" are available to describe the IPs of systems authorized to send e-mails with a "Return-Path" e-mail address belonging to the domain. But a hazardous use of these mechanisms sometimes causes the limitations imposed by the SPF protocol to be exceeded (size of the SPF record, number of DNS lookups greater than 10, number of unresolved DNS lookups greater than 2, etc.) and impact the deliverability of your e-mails.

Aware that an SPF record must be "thought through" and checked after each modification, we have developed the "SPF checker tool" which will evaluate your SPF field and warn you if your SPF record contains errors or if it can still be optimized / simplified:

All Posts

Almost done…

We just sent you an email. Please click the link in the email to confirm your subscription!