⇤ How is the Diligence Risk Category Calculated?
To assess the SPF Domains risk vector, we look for the presence of SPF records in the company’s primary domain, subdomains, and any domains that have sent or attempted to send email. These domains typically correspond to mail servers. We also look at subdomains.
Impact
Concept | Behavior |
---|---|
A default risk vector grade is assigned. |
Having SPF records for all domains (including SMTP servers and those that aren’t configured to send email) is best practice. If a company does not intend to send email from a domain, an attacker can still use that domain to spoof email. Only domains that are sending email and don’t have SPF records are affected. |
The number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. |
Duration: 60 Days |
Percentage (out of 70.5% in Diligence): 1% |
Evaluation
An assessment is provided based on syntactical correctness and effectiveness of hosts that are authorized to send emails on behalf of a domain:
Syntactical Correctness
A record is syntactically correct if it conforms to the SPF RFC. An effective SPF record identifies a set of hosts that are allowed to send email on behalf of the domain. In addition, that record states that email from all other hosts should either be assigned the state “reject” or “accept but mark.”
Effectiveness
A syntactically correct SPF record may still be ineffective if it contains conflicting elements or assigns the state “accept” or “neutral” to all other hosts. A domain must only have one SPF answer specified in the DNS TXT record and the SPF record of a domain. If both a TXT answer and SPF answer exist, they must match.
Number of Authorized Hosts
The larger the number of hosts authorized to send emails on behalf of a domain, the higher the chances of a mail server getting compromised. All domains should have SPF records, even those that aren’t configured to send mail and SMTP servers. Even if a company does not intend to send mail from a domain, an attacker can still use that domain to spoof email. Because of this, companies without SPF records will have an SPF grade of “F.” Domains that aren’t being used to send mail should have null SPF records.
Example null record:
example.com. IN TXT "v=spf1 a:mail.example.com -all" mail.example.com. IN TXT "v=spf1 a -all" www.example.com. IN TXT "v=spf1 -all"
Finding Grading
Diligence findings are evaluated as GOOD, FAIR, BAD, or NEUTRAL. An overall letter grade is calculated, using the evaluations of individual findings.
If there’s no message, the SPF record is effectively preventing unauthorized individuals from sending spoofed email from this domain. It is properly configured and only authorizes necessary domains to send email.
- An effective SPF record is graded as GOOD.
- FAIR findings for this risk vector have a negative impact on the rating.
See finding messages.
- March 26, 2024: “No findings/low findings” changed to “insufficient data.”
- December 12, 2023: Linked to no findings definition.
- December 4, 2023: Finding lifetime definition link changed to Finding Lifetime section.
Feedback
0 comments
Please sign in to leave a comment.