Valimail White Paper

February 2018

What is SPF? Introduction

Sender Policy Framework (SPF) is a Work on SPF started in 2003, and domains cornerstone of email authentication, and is the have been deploying it increasingly widely first of several standards established for that since then. SPF was published as RFC 4408 purpose. in 2006, and became an officially proposed Internet standard via RFC 7208 in 2014. In a simplistic sense, SPF lets you create a whitelist for IP addresses. If a mail server SPF is widely used by major and minor with an IP address that’s not on your list tries receivers of email (Google, Microsoft, Yahoo, to send email using your domain, it won’t etc.) as well as all Secure Email Gateways pass the SPF authentication test. (SEGs).

How It Works

The way SPF works is quite simple in principle: For instance, we examined the SPF records for all 62 sponsors of the 2017 1. Domain owners publish SPF records to RSA Conference. We found 58 who had the Domain Name System (DNS) that spell published SPF records, but 17 of those out the rule sets for their domains. An had records with errors in them. That’s SPF record is plain text, and it can be a nearly 30 percent failure rate — and as simple as a single line listing the IP that’s among security companies. addresses that are allowed to send email on the domain’s behalf. Companies that don’t have a lot of expertise in cybersecurity in general (and email 2. When an email server receives an incoming security in particular) often find SPF email, it examines the domain shown in even more tricky. Even some companies the message’s Return-Path header. that provide email security systems 3. Using DNS, it checks to see if there have issues with their SPF records! is an SPF record for that domain. Second, the rules (“directives” in the 4. If there is a record, the receiving server language of SPF) can be quite a bit more then checks the IP address of the mail complicated than lists of IP addresses. For server that sent the message to figure example, an SPF record can include: out if it matches the SPF rules. • A list of specific permitted IP addresses or 5. If there’s a match, the email passes the net blocks (ranges of IPs) test and, in most cases, is delivered to • Rules that point to other types of DNS the user’s inbox; if not, the receiving records. For instance, “if the MX record or server will typically reject the message the A record for the sending server con- or add a flag to it mark it as suspicious. tains a specific IP address, let the mes- While simple in theory, SPF can be complex to sage pass.” implement in practice. One potential gotcha • “Include” directives that reference SPF is that SPF records are text, but the syntax is a little tricky and it can be easy to make rules controlled by another entity. typos or other errors that are hard to spot For example, if you are using Google’s G Suite and which render the SPF record useless. and you want to enable SPF for the mail sent

What is SPF? February 2018 2 by Gmail (as well as email notifications sent by com to find additional SPF rules listed there. Google Docs, Google Calendar, and so on) you Many other cloud services that send email would add “include:_spf.google.com” on their customers’ behalf — and there are to your SPF record. This tells mail servers to thousands of them — use a similar approach. do an additional DNS lookup for _spf.google.

Return-Path vs. From Addresses

The first big issue with SPF is that it uses MailChimp, while the human-readable From the domain shown in a message’s Return- field shows your company’s address. Path field for authentication, not the From address that humans can actually read. If the domain shown in the Return-Path for (To be fair, humans can read the Return- your messages doesn’t authenticate properly, Path address too, but usually only by then your messages may get rejected. selecting an option to view a message’s Worse, phishers can use the general full headers or the raw text of the full invisibility of Return-Path to set up their own message. It’s not usually shown by default.) domains with their own SPF records. Then The Return-Path is used to indicate where they can send out phish emails that appear bounce messages (such as non-delivery to come from a trusted company or brand, reports) should go. In some cases, that with that company’s domain showing in the address will have the same domain as From field but the phisher’s own domain what’s shown in the From field, but the in Return-Path. Such messages are fake, domains may differ in other cases. For but they will pass SPF authentication. example, if you’re sending mail through This is one reason why SPF is not a complete a mailing list, the From field might show email authentication solution on its own. An your address, while the Return-Path field additional standard (DMARC) addresses this shows the address of the email list. Or if issue by enabling the domain owner to require you’re using a bulk mailing service like “alignment,” which means that a message MailChimp, the Return-Path address might must pass SPF and its Return-Path and be an address that directs bounces to From addresses must be the same.

The 10-Domain Lookup Limit

The second big issue is that SPF contains can use them up fast, particularly because a limit on the number of DNS lookups that one lookup might contain other lookups of its mail servers will do when evaluating an SPF own. For instance, “include _spf.google.com” record. That limit is 10, and it was put in place actually comprises four different lookups, because the creators of SPF were concerned because the SPF record at _spf.google.com about preventing denial-of-service attacks. contains three more lookups of its own.

For instance, when an SPF record has an It gets worse, because many companies are “include” directive that specifies a domain, now using a wide variety of cloud services, the authenticating server needs to do a DNS similar to G Suite, that send emails on their lookup for that domain, in order to retrieve behalf (for notifications, customer emails, its SPF record, containing additional rules. etc.). Every one of these, from Salesforce. While 10 lookups might sound like a lot, you com to Sendgrid, needs to be spelled out in

What is SPF? February 2018 3 an SPF record “include” directive if you want 10th lookup they just stop, even if there their messages to authenticate as legitimate are more “includes” to evaluate. As a emails from your company. Any of their result, emails that the domain owner includes may include multiple DNS lookups. intends to authenticate may fail SPF, since the server may never get to the rule Even if you take care to count the total that would have authenticated them. number of lookups, one of the vendors you use might change their own SPF record, There’s no limit on the number of IP changing the number of lookups they addresses you can include in an SPF do, which then affects your total — and record, so some organizations try to get you’ll get no notification about that. around the 10-domain lookup limit by listing authorized servers by IP address Receiving email servers don’t tell you instead of domain name. This is called if they exceed the 10-lookup limit when “flattening,” but it has problems of its own. trying to authenticate an email. After the

Forwarding Limitations

A third issue with SPF is that it doesn’t support Any SPF records from senders trying to email forwarding. For instance, if you’re reach you through that address won’t an alumnus of a college that offers you a validate, because to the Gmail server, it lifetime email address (@alumni.college. looks like the message is coming from the edu or something similar), that probably college’s email server, not the source. The forwards email to your actual address same problem applies to e-mail lists. (gmail.com or your company address).

Automation Addresses SPF Limitations

SPF is an essential part of email or that it gets quarantined/rejected (if it authentication, but it wasn’t designed for fails). In the absence of a DMARC record, the cloud era and is unwieldy if you use how receiving servers handle a message more than two or three cloud services that fails SPF is entirely up to them. that send email on your behalf. Hand- crafting SPF records and maintaining them Valimail has automated the key aspects in conventional DNS doesn’t work for most of email authentication, including SPF. organizations. What’s more, SPF doesn’t Valimail’s platform includes a DNS responder ensure that mail gets delivered (if it passes) that, via a one-time delegation, responds to queries for a domain’s SPF record.

About Valimail

Valimail provides the first and only truly protect organizations’ reputations. Valimail automated email authentication solution for authenticates billions of messages a month brand protection and anti-fraud defense. for some of the world's biggest companies, in Valimail's patented, standards-compliant finance, government, transportation, health technology provides an unrivaled one-click care, manufacturing, media, technology, and solution for DMARC enforcement to stop more. Valimail is based in San Francisco. For phishing attacks, increase deliverability, and more information visit www.Valimail.com.

What is SPF? February 2018 4