The SPF Domains risk vector assesses the effectiveness of Sender Policy Framework (SPF) records, which are DNS records that identify mail servers permitted to send email on behalf of a domain. Properly configured SPF records ensure that only authorized hosts can send email on behalf of a company by providing receiving mail servers the information they need to reject mail sent by unauthorized hosts.
Only domains that are sending email and have not implemented SPF are assessed for this risk type. See data collection methods.
Risks
Without SPF records, attackers can pose as legitimate senders from trusted domains. This makes it difficult to trace a message to its source and easy for spammers to hide their identity.
Grading
See how the SPF Domains risk vector is graded.
Concept | Behavior |
---|---|
Duration: 60 Days |
|
A default risk vector grade is assigned. |
Having SPF records for all domains (including SMTP servers and those that aren’t configured to send email) is best practice. If a company does not intend to send email from a domain, an attacker can still use that domain to spoof email. Only domains that are sending email and don’t have SPF records are affected. |
Percentage (out of 70.5% in Diligence): 1% |
Remediation
Resources
Recommendations
- Create an SPF record.
- Check for common mistakes in your SPF record. An effective SPF record has the following characteristics:
- Has one “all statement” or a “redirect,” but not both.
- The all statement appears at the end of the record.
- Does not give neutral or pass to the all statement. Any redirect occurs after all other mechanisms.
- A company's total SPF grade is based on the assessment of the top level record and the records of the domains specified in the includes and redirects up to two levels below.
- Macro expressions are checked to verify they are formed properly, where applicable.
- All domains should have SPF records, even SMTP servers and those that aren't configured to send mail. If a company does not intend to send mail from a domain, an attacker can still use that domain to spoof email.
- Ensure that your SPF record does not exceed 10 DNS lookups (see: RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1). This limitation is intentionally present in order to prevent Denial of Service attacks through the DNS lookups performed when a mail server attempts to validate incoming mail using SPF.
Finding Behavior
Concept | Behavior |
---|---|
The Bitsight platform regularly checks for new observations. Bitsight findings are updated as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated. |
Automated Scan Duration: 2 Weeks User-Requested Refresh Duration: 1 Business Day |
Impact is immediate. The old finding is replaced by a new finding. Grades improve when a new SPF Domains finding is detected. |
- March 26, 2024: “No findings/low findings” changed to “insufficient data.”
- November 10, 2023: Linked to finding messages.
- August 16, 2023: New Grading & Finding Behavior sections.
Feedback
0 comments
Please sign in to leave a comment.