Understanding the SPF Domains Risk Vector

The SPF Domains risk vector is part of the Diligence risk category. It assesses the effectiveness of Sender Policy Framework (SPF) records, which are DNS records that identify mail servers permitted to send email on behalf of a domain. Properly configured SPF records ensure that only authorized hosts can send email on behalf of a company by providing receiving mail servers the information they need to reject mail sent by unauthorized hosts.

Only domains that are sending email and have not implemented SPF are assessed for this risk type. See data collection methods.

What is a Sender Policy Framework?

Sender Policy Framework (SPF) is a DNS record that identifies mail servers that are permitted to send email on behalf of a domain. SPF records help prevent spammers from sending emails with forged “From” addresses. Recipients can check the SPF record to ascertain if an email claiming to have been sent from someone at a particular domain was indeed sent from a mail server authorized by that domain.

Risks

Without SPF records, attackers can pose as legitimate senders from trusted domains. This makes it difficult to trace a message to its source and easy for spammers to hide their identity.

Remediation

Resources

• Findings
• Finding Messages

Recommendations

• Create an SPF record.
• Check for common mistakes in your SPF record. An effective SPF record has the following characteristics:
  • Has one “all statement” or a “redirect,” but not both.
  • The all statement appears at the end of the record.
  • Does not give neutral or pass to the all statement. Any redirect occurs after all other mechanisms.
  • A company's total SPF grade is based on the assessment of the top level record and the records of the domains specified in the includes and redirects up to two levels below.
  • Macro expressions are checked to verify they are formed properly, where applicable.
• All domains should have SPF records, even SMTP servers and those that aren't configured to send mail. If a company does not intend to send mail from a domain, an attacker can still use that domain to spoof email.
• Ensure that your SPF record does not exceed 10 DNS lookups (see: RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1). This limitation is intentionally present in order to prevent Denial of Service attacks through the DNS lookups performed when a mail server attempts to validate incoming mail using SPF.

Rescan Base Duration

The Bitsight platform regularly checks for new observations. Findings are rescanned as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.

Automated Scan: 2 Weeks

User-Requested Rescan: 3 days. See timeline for details.

Finding Behavior

The behavior of findings based on remediation and rescan statuses:

• Remediated
• Not Remediated

Remediated

• Grades improve when a new SPF Domains finding is detected.
• The remediated finding stops impacting the grade. If a user-requested rescan is initiated, the rescan status is either Remediated or Partially Remediated.
• A new finding impacting the grade is created. If a user-requested rescan is initiated, the rescan status is Replacement Finding.

Not Remediated

If a user-requested rescan is initiated and the issue persists, the rescan status is Not Remediated and the finding continues to impact the grade until it completes its lifetime.

Where can I view my SPF Domains Grades and Findings?

• SPM App: Findings ➔ Findings Table
• CM App: Portfolio Risk ➔ Companies List ➔  Vendor Risk ➔ Findings
• Insurance App: Portfolio Risk ➔ Companies List ➔  Client Risk ➔ Findings
• Bitsight API: GET: SPF Domains Finding Details [/v1/companies/entity_guid/findings?risk_vector=spf]