SPF Domains Risk Vector: Core Overview Erin Conry The SPF Domains risk vector assesses the effectiveness of Sender Policy Framework (SPF) records, which are DNS records that identify mail servers permitted to send email on behalf of a domain. Properly configured SPF records ensure that only authorized hosts can send email on behalf of a company by providing receiving mail servers the information they need to reject mail sent by unauthorized hosts. Risk Category: Diligence Default Grade: F Current Rating Impact: 1% Finding Lifetime: 60 Days (The duration a finding impacts your grade if no changes occur). Scan Cadence: Automated every 2 weeks (or ~3 days via user-requested rescan) Can I request an immediate rescan for this finding? No. Only domains that are sending email and have not implemented SPF are assessed for this risk type. See data collection methods.What is a Sender Policy Framework?Sender Policy Framework (SPF) is a DNS record that identifies mail servers that are permitted to send email on behalf of a domain. SPF records help prevent spammers from sending emails with forged “From” addresses. Recipients can check the SPF record to ascertain if an email claiming to have been sent from someone at a particular domain was indeed sent from a mail server authorized by that domain.How is the SPF Domains Risk Vector graded?Bitsight evaluates the risk of email spoofing by examining the presence and configuration of SPF records. We analyze the primary domain, subdomains, and any domains associated with sending or attempting to send email, which typically correspond to mail servers using the following criteria:Evaluation CriteriaSPF records are assessed based on two main criteria: syntactical correctness and effectiveness, focusing on whether authorized hosts are clearly defined.Syntactical CorrectnessAn SPF record must comply with the SPF RFC. An effective, correct record defines the set of hosts permitted to send email for the domain and specifies that all other hosts should be marked as "reject" or "accept but mark."Overall EffectivenessEven if syntactically correct, an SPF record is ineffective if it: Contains conflicting elements. Assigns the state “accept” or “neutral” to all other hosts. Has more than one SPF answer specified in the DNS TXT record and the SPF record; if both exist, they must match. Authorized Hosts and Spoofing RiskThe risk of a mail server compromise increases with the number of authorized sending hosts. Requirement: All domains, including those not used for sending mail and SMTP servers, should have SPF records to prevent attackers from using the domain to spoof email. Grading Impact: Companies without any SPF records receive an "F" grade for this risk vector. Null Records: Domains not used for sending mail should utilize null SPF records. Need to remediate a bad SPF Domain finding? Learn how here. June 25, 2025: User-requested rescan base duration is 3 days; Finding behavior grouped by rescan statuses. March 26, 2024: “No findings/low findings” changed to “insufficient data.” November 10, 2023: Linked to finding messages. Related to diligence_risk_category spf_domains Related articles DKIM Records Risk Vector: Core Overview Finding Behavior TLS/SSL Configurations Risk Vector Data Collection Methods Overview TLS/SSL Finding Remediation & Remediation Verification Feedback 0 comments Please sign in to leave a comment.