SPF Domains Risk Vector

The SPF Domains risk vector is part of the Diligence risk category. It assesses the effectiveness of Sender Policy Framework (SPF) records, which are DNS records that identify mail servers permitted to send email on behalf of a domain. Properly configured SPF records ensure that only authorized hosts can send email on behalf of a company by providing receiving mail servers the information they need to reject mail sent by unauthorized hosts.

Only domains that are sending email and have not implemented SPF are assessed for this risk type. See data collection methods.

Risks

Without SPF records, attackers can pose as legitimate senders from trusted domains. This makes it difficult to trace a message to its source and easy for spammers to hide their identity.

Grading

See how the SPF Domains risk vector is graded.

Insufficient Data

A default risk vector grade is assigned if there is insufficient or no data.

Default:

Behavior:

Having SPF records for all domains (including SMTP servers and those that aren’t configured to send email) is best practice. If a company does not intend to send email from a domain, an attacker can still use that domain to spoof email.

Only domains that are sending email and don’t have SPF records are affected.

Lifetime

Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.

Duration: 60 Days

Weight

The SPF Domains risk vector is part of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.

Weight: 1%

Remediation

Resources

• Findings
• Finding Messages

Recommendations

• Create an SPF record.
• Check for common mistakes in your SPF record. An effective SPF record has the following characteristics:
  • Has one “all statement” or a “redirect,” but not both.
  • The all statement appears at the end of the record.
  • Does not give neutral or pass to the all statement. Any redirect occurs after all other mechanisms.
  • A company's total SPF grade is based on the assessment of the top level record and the records of the domains specified in the includes and redirects up to two levels below.
  • Macro expressions are checked to verify they are formed properly, where applicable.
• All domains should have SPF records, even SMTP servers and those that aren't configured to send mail. If a company does not intend to send mail from a domain, an attacker can still use that domain to spoof email.
• Ensure that your SPF record does not exceed 10 DNS lookups (see: RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1). This limitation is intentionally present in order to prevent Denial of Service attacks through the DNS lookups performed when a mail server attempts to validate incoming mail using SPF.

Rescan Base Duration

The Bitsight platform regularly checks for new observations. Findings are rescanned as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.

Automated Scan: 2 Weeks

User-Requested Rescan: 3 days. See timeline for details.

Finding Behavior

The behavior of findings based on remediation and rescan statuses:

• Remediated
• Not Remediated

Remediated

• Grades improve when a new SPF Domains finding is detected.
• The remediated finding stops impacting the grade. If a user-requested rescan is initiated, the rescan status is either Remediated or Partially Remediated.
• A new finding impacting the grade is created. If a user-requested rescan is initiated, the rescan status is Replacement Finding.

Not Remediated

If a user-requested rescan is initiated and the issue persists, the rescan status is Not Remediated and the finding continues to impact the grade until it completes its lifetime.