You have a company? You have a domain? You and your team send emails? If the answer to all these questions is a solid ‘yes,’ then you surely can be under the radar of email phishers and spoofers. It doesn’t matter if you have two people in your company or two thousand; you need to upstand fortifiers like the Sender Policy Framework protocol that can ward off the malicious intended efforts of adversaries.
In March 2024, news surfaced over the internet that some threat actors emailed small business owners and self-employed tax filers with a link asking them to input extensive personal details, including their Social Security Numbers. These emails look like coming from the officials of the Internal Revenue Service or the IRS, manipulating recipients into giving in details.
To avoid being victims of such incidents, domain owners deploy SPF and its companions- DKIM and DMARC. However, the initial setup, preparation, and post-deployment management drills vary from company to company, primarily depending on their size, industry, operating style, and tolerance for false positives.
Image sourced from glockapps.com
This blog shares the differences you can expect in SPF configurations for small, medium, and large businesses.
What Does SPF Look Like for a Small Business?
Smaller companies with only a few employees have a simpler email infrastructure, usually involving a single email provider. The number of servers and services that send email is also limited, so a basic SPF setup works fine for them. Their SPF records usually have just one or two IP addresses or domain names.
Here’s an example of what a small business’ typical SPF record would look like-
v=spf1 include:_spf.google.com ~all
The email infrastructures of small businesses’ domains are stable. They don’t involve too much movement as there are fewer integrations with third-party vendors, making it much simpler to maintain their SPF records. Also, they have a narrower scope of operations and communication needs; hence, a simple SPF setup suffices.
What Does SPF Look Like for a Mid-Scale Business?
A company with a few hundred employees may use multiple email services and possibly some internal servers. It’s likely to have more email-sending sources, including marketing platforms, CRM systems, and other third-party services. Considering all these factors, its SPF record will have multiple ‘include’ mechanisms for different services, and its SPF record would look something like this-
v=spf1 include:_spf.google.com include:spf.mailchimp.com include:_spf.salesforce.com ~all
The person in charge of SPF will have to update it regularly as services, IP addresses, devices, people, and positions will be frequently added and removed. They may also need to manage SPF records for various subdomains you use for different departments or services.
What Does SPF Look Like for a Large Business?
Since the email infrastructures of large companies are intricate and extensive, they tend to exceed the DNS lookup limit of 10. They either use the nested ‘include’ mechanism and subdomain delegation or automatic SPF flattening tools to manage this issue. In their cases, regular audits and updates are essential to ensure that all email-sending sources are accurately covered.
Large organizations often face more stringent security requirements and compliance standards. This necessitates thorough and well-maintained SPF records, along with regular reviews, to address any potential issues and to ensure ongoing compliance with industry standards and best practices.
Key Considerations Across All Sizes
Regularly run your SPF records through credible SPF lookup tools to come across any existing errors. If spotted, fix them immediately to avoid email delivery and authentication problems. We suggest that you maintain clear and detailed documentation of all email-sending sources, associated SPF records, and changes or updates you make to them. This helps troubleshoot faster, reducing downtime and not giving threat actors the window to exploit you.
No matter what size category your business falls into, you can reach out to us for anything related to SPF and email security. Book a demo today and see for yourself!