How is the SPF Domains Risk Vector Assessed? Ingrid This assessment evaluates the risk of email spoofing by examining the presence and configuration of SPF records. We analyze the primary domain, subdomains, and any domains associated with sending or attempting to send email, which typically correspond to mail servers.Impact on Security Rating Weight The SPF Domains risk vector contributes 1% to the overall weight of the Diligence risk category. This category aggregates to 70.5% of the total Bitsight Security Rating. Finding Lifetime A finding's lifetime is the maximum number of 60 days it will affect the risk vector grade, assuming no new information is collected. Learn more about decay and lifetime periods. Insufficient Data A default risk vector grade is assigned when insufficient or no data is available. Grading Behavior: Best Practice: SPF records should exist for all domains, including those not configured to send email and SMTP servers, as domains without records can be exploited for email spoofing. Affected Domains: Only domains actively sending email and lacking SPF records contribute to a negative finding. Data Temporarily Unavailable: If no findings exist but data collection is temporarily unavailable, the most recent grade is maintained for up to 340 days before reverting to the default grade. Evaluation CriteriaSPF records are assessed based on two main criteria: syntactical correctness and effectiveness, focusing on whether authorized hosts are clearly defined.Syntactical CorrectnessAn SPF record must comply with the SPF RFC. An effective, correct record defines the set of hosts permitted to send email for the domain and specifies that all other hosts should be marked as "reject" or "accept but mark."EffectivenessEven if syntactically correct, an SPF record is ineffective if it: Contains conflicting elements. Assigns the state “accept” or “neutral” to all other hosts. Has more than one SPF answer specified in the DNS TXT record and the SPF record; if both exist, they must match. Authorized Hosts and Spoofing RiskThe risk of a mail server compromise increases with the number of authorized sending hosts. Requirement: All domains, including those not used for sending mail and SMTP servers, should have SPF records to prevent attackers from using the domain to spoof email. Grading Impact: Companies without any SPF records receive an "F" grade for this risk vector. Null Records: Domains not used for sending mail should utilize null SPF records. Example null record:example.com. IN TXT "v=spf1 a:mail.example.com -all" mail.example.com. IN TXT "v=spf1 a -all" www.example.com. IN TXT "v=spf1 -all"Want to learn more?Need to remediate a bad SPF Domain finding? Learn how here. December 21, 2025: Updated language for clarity to align with product updates. July 10, 2025: Time period decrease on findings with insufficient data or no data for the 2025 Ratings Algorithm Update. April 3, 2025: Behavior when we are temporarily unable to collect data. November 22, 2024: Default grading behavior updated. Related articles Understanding the SPF Domains Risk Vector How is the DKIM Records Risk Vector Assessed? SPF Domains Findings Messages and Remediation Tips How is the Web Application Headers Risk Vector Assessed? How to Create a Sender Policy Framework (SPF) Record Feedback 0 comments Please sign in to leave a comment.