SPF Domains Risk Vector

⇤ Diligence Risk Category

The SPF Domains risk vector assesses the effectiveness of Sender Policy Framework (SPF) records, which are DNS records that identify mail servers permitted to send email on behalf of a domain. Properly configured SPF records ensure that only authorized hosts can send email on behalf of a company by providing receiving mail servers the information they need to reject mail sent by unauthorized hosts.

Only domains that are sending email and have not implemented SPF are assessed for this risk type. See data collection methods.

Risks

Without SPF records, attackers can pose as legitimate senders from trusted domains. This makes it difficult to trace a message to its source and easy for spammers to hide their identity.

Grading

See how the SPF Domains risk vector is graded.

Remediation

Resources

• Findings
• Finding Messages

Recommendations

• Create an SPF record.
• Check for common mistakes in your SPF record. An effective SPF record has the following characteristics:
  • Has one “all statement” or a “redirect,” but not both.
  • The all statement appears at the end of the record.
  • Does not give neutral or pass to the all statement. Any redirect occurs after all other mechanisms.
  • A company's total SPF grade is based on the assessment of the top level record and the records of the domains specified in the includes and redirects up to two levels below.
  • Macro expressions are checked to verify they are formed properly, where applicable.
• All domains should have SPF records, even SMTP servers and those that aren't configured to send mail. If a company does not intend to send mail from a domain, an attacker can still use that domain to spoof email.

Finding Behavior