Threat actors seek ways to impersonate credible companies and their representatives to send phishing emails on their behalf. This way, the targeted recipients are more likely to open and interact with potentially fraudulent emails. However, if companies implement the SPF protocol for their domains and adhere to best practices, they can assist receiving servers in distinguishing between safe and malicious email senders.
To make SPF work smoothly, the domain owner creates an SPF record that lists all the IP addresses and mail servers allowed to send emails for their domain. It also includes rules that tell receiving servers what to do if someone tries to send fake emails using their domain.
As of 2024, more than half of the top ten million domains have published SPF records. However, not all of them are fully capable of warding off email impersonation and phishing attacks attempted in the name of their businesses. This is because most of them have errors, undefined content, or ineffective rules. SPF is not a one-time job— you practically have to keep checking your SPF record to ensure it’s appropriately configured. You also need to continually add and remove IP addresses and mail servers whenever there is an association or disassociation with an employee or vendor.
Yes, keeping up with the list of dos and don’ts for an SPF record can be a tricky task, but that’s exactly where this guide steps in to help you untangle things.
Here are 6 best practices that a domain owner, all the employees, and linked vendors should follow to ensure the email authentication protocols’ effectiveness.
1. List only authorized IP addresses and servers
SPF’s job is to tell the world which IP addresses and mail servers are officially allowed to send emails on your behalf. So, if you have listed IP addresses and mail servers that shouldn’t be there, or you miss the ones that should be in your SPF record, your domain gets exposed to the following risks-
Spoofing and BEC attacks
Attackers can forge emails using your domain if your SPF record is too loose or outdated. This can lead to spoofing or BEC attacks, where a threat actor can trick your employees or customers into wire transferring money or sensitive information.
Legit emails get blocked
If you don’t include the IP address or mail server of a new joinee, emails sent by them will most probably get blocked or land in the spam folder. This can ultimately result in delays, missed opportunities, and frustration for you and the receiver.
Here’s how you can follow this best practice-
- Audit your senders regularly.
- Use IP ranges or ‘include:’ statement wisely.
- Remove the sending sources no longer in use.
2. Use -all only when you are confident
By setting the Hard Fail mechanism (-all), you tell the receiving mail server to reject the emails sent from your domain using the unlisted IP addresses or servers. While this may sound like the best configuration to avert phishing attacks attempted in your name, it’s not always advised to use this.
There are two reasons why you should think twice before setting your SPF record to -all.
The first reason is that if you forget to add a new IP address or mail server to your SPF record, genuine emails sent from them will be rejected, risking communication and operational issues.
Second, instances of false negatives are common, especially during the initial phase of SPF deployment. So, at times, even the genuine emails sent from authorized sources can get rejected.
So, if your business’s tolerance for rejected emails is low, don’t be hasty to set the Hard Fail mechanism. Wait until you are confident enough.
3. Avoid using deprecated and risky mechanisms
Some SPF mechanisms, such as ‘ptr,’ are outdated and no longer reliable. The ‘ptr’ mechanism tries to do a reverse DNS lookup to check if the sender’s IP matches the domain name, but it’s slow, easy to fake, and doesn’t always give consistent results. That’s why most email providers no longer recommend using it.
Likewise, using broad mechanisms like, ‘a’ or ‘mx,’ can be risky if not handled carefully. The ‘a’ mechanism allows any IP linked to your domain’s A record to send emails — even if those servers weren’t meant to send emails in the first place. Similarly, ‘mx’ approves your mail servers, but some of them may only receive or forward emails, not send them directly.
Using such loose rules can inadvertently allow unauthorized senders to access your email and compromise your security. It’s better to stick with more specific options like ‘ip4,’ ‘ip6,’ or ‘include:’ to list only the exact IPs or trusted third-party services that should be sending your emails.
4. Monitor DMARC reports
DMARC relies on SPF and DKIM results. By monitoring DMARC reports, you can know if something is wrong with your SPF record. You can spot unrecognized and unauthorized IPs and tighten the SPF record to block emails sent from these.
Also, sometimes your own tools (like a CRM or newsletter platform) might not be added to your SPF record. DMARC reports will show their emails failing SPF, so you’ll know which sender to add to the record.
5. Document and review changes regularly
Whenever you make any changes to your SPF record, document the alterations. This way, there will be a log of who made the update, when, and for what purpose. This avoids confusion later if something breaks.
Additionally, if you continually add ‘include:’ statements without removing old ones, your SPF record may exceed the 10 DNS lookup limit, resulting in SPF failure. A documented change log makes it easier to maintain an efficient record of alterations.
6. Stay within the lookup limit
SPF allows up to 10 DNS lookups for mechanisms like ‘include:’, ‘a,’ ‘mx,’ and others that trigger a DNS query. This is done to prevent abuse, like attackers creating endless DNS loops that slow down or crash mail servers (a type of DoS attack).
If your SPF record has already hit this limit and the protocol has gone inefficient, use our automatic SPF flattening tool. It works by converting ‘include’ statements into a static list of IPs that eliminates the need for frequent lookups.
If you need assistance with our tool, feel free to reach out to us for guidance. We can also help with other email authentication issues.
