- November 10, 2023: Linked to finding messages.
- August 16, 2023: New Grading & Finding Behavior sections.
- May 11, 2020: Linked to related topics (rating details, data collection methods, & finding details).
The SPF Domains risk vector assesses the effectiveness of Sender Policy Framework (SPF) records, which are DNS records that identify mail servers permitted to send email on behalf of a domain. Properly configured SPF records ensure that only authorized hosts can send email on behalf of a company by providing receiving mail servers the information they need to reject mail sent by unauthorized hosts.
Only domains that are sending email and have not implemented SPF are assessed for this risk type. See data collection methods.
Without SPF records, attackers can pose as legitimate senders from trusted domains. This makes it difficult to trace a message to its source and easy for spammers to hide their identity.
See how the SPF Domains risk vector is graded.
Having SPF records for all domains (including SMTP servers and those that aren’t configured to send email) is best practice. If a company does not intend to send email from a domain, an attacker can still use that domain to spoof email.
Only domains that are sending email and don’t have SPF records are affected.
(Out of 70.5% in Diligence)
- Create an SPF record.
- Check for common mistakes in your SPF record. An effective SPF record has the following characteristics:
- Has one “all statement” or a “redirect,” but not both.
- The all statement appears at the end of the record.
- Does not give neutral or pass to the all statement. Any redirect occurs after all other mechanisms.
- A company's total SPF grade is based on the assessment of the top level record and the records of the domains specified in the includes and redirects up to two levels below.
- Macro expressions are checked to verify they are formed properly, where applicable.
- All domains should have SPF records, even SMTP servers and those that aren't configured to send mail. If a company does not intend to send mail from a domain, an attacker can still use that domain to spoof email.
Automated: 2 Weeks
User-Requested: 1 Day
|Remediated||The old finding is replaced by a new finding. Grades improve when a new SPF Domains finding is detected.|