Emails are important yet one of the most vulnerable strings of corporate communication. Not to forget how AI-written sophisticated emails are making it more challenging for CISOs to deploy filters to detect and burn illegitimate emails. Gone are the days when detecting poor grammar, inconsistencies, unprofessional graphics, etc., was enough to tag an email as ‘potentially fraudulent.’
In one of the media interactions, Patric Harr, the CEO of SlashNext, raised his concerns by saying that it isn’t a coincidence that since the launch of ChatGPT, the incidents of phishing emails have grown exponentially.
The situation has also driven Google and Yahoo to necessitate the deployment of DMARC for all domains that send over 5,000 emails per day. Since DMARC relies on SPF and DKIM, it’s important that domain administrators and CISOs follow some best practices.
1. Avoid DIY-ing SPF
Setting up SPF on your own can be challenging and may not yield optimal results for the following reasons-
Complexity
An SPF record consists of SPF syntax and requires an understanding of DNS records. So, avoid in-house SPF management unless you have an expert onboard. Companies often assign the responsibility to an IT team member, assuming they have sufficient expertise, but that isn’t always the case. IT and cybersecurity are extensive topics, and people are proficient in certain segments only.
Lack of Expertise
Managing SPF requires a deep understanding of email authentication protocols, DNS management, and email delivery mechanisms. If you or your team lack experience in these areas, DIY-ing SPF setup and monitoring may result in ineffective or unreliable email authentication.
Misconfigurations
If an unskilled team member is assigned to your SPF record, it is highly likely to encounter misconfigurations. There are several rules, and overlooking them makes a record invalid, causing false positives and deliverability issues or allowing fraudulent emails to bypass email authentication filters.
Incomplete Knowledge of Compliance Requirements
Many industries and regions have compliance requirements regarding email security and anti-spam measures. A DIY SPF setup may not ensure compliance with these regulations, potentially exposing your organization to legal risks or penalties.
2. Use Lookup Tools
SPF lookup tools or analyzers highlight all the existing errors in your SPF record so that you can fix them before a malicious entity takes their advantage. A standard lookup tool highlights the following errors-
- Syntax errors, including missing or misplaced characters, invalid SPF record mechanisms or modifiers, and improper formatting.
- DNS lookup failures occur when the SPF checker tool fails to retrieve information from the DNS records associated with the domain.
- Exceeding the maximum limit of 255 characters as it parses errors or truncates the record, causing email delivery issues.
- Invalid SPF version.
- Deprecated mechanisms and also suggests alternatives for better compatibility and security.
- Discrepancies between the SPF record and the DMARC policy and recommends adjustments for alignment.
3. Penetration Testing and Ethical Hacking Really Work
Regular penetration testing helps uncover vulnerabilities in SPF configurations, while ethical hacking involves simulating real-world attacks to come across potential vulnerabilities and gaps in email authentication mechanisms. This practice also helps ensure that modifications and updates don’t inadvertently weaken SPF’s effectiveness or introduce vulnerabilities.
Image sourced from techtarget.com
4. Softfail vs Hardfail- Make the Right Choice
You use either a Softfail mechanism (~all) or a Hardfail mechanism (-all) to instruct recipients’ mailboxes how to treat unauthenticated emails sent from your domain. If you set Softfail in your SPF record, receiving mailboxes will place suspicious emails in spam folders, and if you set Hardfail, they will reject such emails.
Now, it sounds like Hardfail offers maximum security from phishing attacks. However, there are instances of false positives for genuine emails. So, sometimes, it’s better to set a more lenient mechanism, as you can’t afford to lose out on genuine emails.
Organizations should carefully evaluate their email security requirements and tolerance for false positives when deciding between SPF softfail and hardfail mechanisms. Additionally, implementing complementary email authentication mechanisms such as DKIM and DMARC can enhance overall email security regardless of the choice between Softfail and Hardfail.
5. You Can’t Always Control SPF Temperrors
SPF temperrors are temporary issues that mostly get resolved on their own. Your SPF record can encounter the following temperrors-
DNS Lookup Timeout
SPF records often include mechanisms that require DNS lookups to retrieve information about authorized sending hosts or IP addresses. If there are issues with DNS servers, network connectivity, or DNS lookup timeouts, SPF processing may result in a temperror.
DNS Server Errors
This includes issues with DNS servers, such as misconfigurations, outages, or temporary network disruptions.
Transient Network Issues
Temporary network issues or congestion can disrupt communication between the SPF checker tool and DNS servers, leading to SPF temperrors. These issues may include packet loss, high latency, or network congestion affecting DNS resolution.
Rate Limiting
Some DNS servers enforce a limit on the maximum number of DNS queries within a short period. Exceeding this limit triggers an error.
SPF Record Parsing Errors
SPF records should not have any syntax errors, invalid mechanisms, or unsupported modifiers, as they cause a failure in SPF processing.
Temporary DNS Server Unavailability
DNS servers can be temporarily unavailable due to maintenance, updates, or other technical issues. If an SPF lookup tool fails to reach the DNS server during processing, an issue is reported.
Load Balancing or Failover Issues
Domain owners deploy load-balancing or failing mechanisms for their DNS infrastructure to improve reliability and scalability. However, improper configurations cause problems as DNS queries are not routed properly.
6. Use SPF Macros Wisely
SPF macros introduce some level of complexity in an SPF record, triggering potential risks, and hence should be used carefully. They rely on external sources, like the sender’s domain or the client’s IP address. So, modifications and inconsistencies in these external sources can impact SPF validation and may trigger false positives.
What’s worse to know is that threat actors always try abusing SPF macros to create malicious emails or bypass SPF authentication checks.
Also, remember that not all email servers and SPF validators fully support SPF macros, which can trigger compatibility issues and inconsistent SPF validation results across different email systems.
Given these considerations and risks, we recommend you to be cautionary with SPF macros’ usage.
7. Communicate With Third-Party Senders
Domain owners or SPF administrators should inform third-party vendors who have to send emails on behalf of your brand about the requirement to include their sending servers’ IP addresses or hostnames in the domain’s SPF record. Provide guidance on different mechanisms and modifiers and encourage them to test their SPF configurations regularly to avoid inconsistencies and errors.
Establish open communication channels with third-party senders to address any questions, concerns, or issues related to SPF authentication.
8. Resort to SPF Flattening
SPF flattening is a technique for simplifying and compressing records with more than 10 DNS lookups. It consolidates multiple ‘include’ mechanisms from nested records into a single SPF record at the top-level domain. Companies with complex email infrastructure should surely resort to this technique.
Some receiving mail servers impose limits on the number of DNS lookups allowed during SPF validation. Flattening the SPF record helps ensure compatibility with these limitations by minimizing the number of DNS queries required to validate the SPF record.
Moreover, a flattened SPF record identifies and eliminates unnecessary or redundant include mechanisms, reducing the risk of issues erupting from misconfigurations.
What Else to Consider?
In addition to ensuring the correctness and consistency of SPF records, CISOs should also leverage DKIM and DMARC to maximize the effectiveness of email authentication filters. Don’t overlook penetration testing in your cybersecurity strategy to proactively identify and mitigate SPF-related problems.
Email defenses are budget-friendly, so seek professional assistance to ensure proper configuration, ongoing monitoring, and compliance with email security best practices. This will ultimately enhance your organization’s email deliverability and security posture.