SPF prevents emails sent by unauthorized people from landing in the inboxes of targeted recipients. However, if your SPF record is misconfigured, it can do more harm than good- especially if it’s overly permissive. By overly permissive, we mean using the +all mechanism, as this setting can turn your domain into an open relay for cybercriminals.
We say this because the +all mechanism allows any server on the internet to send emails using your domain. SPF’s purpose is to allow only authorized servers to be used to send emails, but the +all mechanism defies that. It negates SPF protection, making SPF completely ineffective in preventing spoofing and phishing.
In this blog, we’ll explore why +all is a security risk, how attackers exploit it, and what you should do instead to ensure a secure SPF configuration.
How do threat actors exploit the +all mechanism vulnerability?
The +all mechanism is one of the most dangerous misconfigurations because, with this, you officially authorize every email server to be used for sending emails on behalf of your company and using your domain. This is a goldmine situation for cybercriminals because–
1. It makes it easier to send spoofing and phishing emails
It enables attackers to forge emails from your domain and send phishing emails to your customers, partners, employees, etc. Since the emails land in their inboxes without any warning, recipients treat them as normal. They trust the emails to be genuinely coming from you and hence end up sharing sensitive details (like bank information, medical reports, contact details, etc.), transferring money, downloading malware-infected files, etc.
Remind you that all this happens while believing that email has come from your company. So, if they become victims of any fraud, they will press charges against your company as you failed to protect them.
2. Your domain becomes a spam gateway
Spammers treat your domain as a free channel to distribute bulk spam emails. With so many emails sent from your domain, its domain reputation will be affected drastically. This way, email services like Gmail and Outlook will stop trusting your domain and start marking all emails from your domain as spam or malicious.
3. Bypassing DMARC protections becomes an easy deal
An overly permissive SPF record can weaken DMARC protection. Even if you have DMARC set up, a fake email could pass both SPF and DMARC if SPF is misconfigured (ignoring DKIM for now).
If an email fails DMARC checks, one of the following actions is taken against it-
- If you have set your DMARC record to p=none policy, no action will be taken against it. It will land in the recipient’s inbox, as usual.
- If you have set your DMARC record to p=quarantine, it will be sent to the recipient’s spam folder.
- If you have set your DMARC record to p=reject, it will bounce back to the sender.
4. Puts your business at risk
If cybercriminals use your domain for phishing, customers may lose trust in your brand. In industries like finance or healthcare, allowing your domain to be exploited for email fraud can result in legal consequences.
Fixing it the right way
Firstly, you need to know if the +all misconfiguration exists in your SPF record. We recommend that you frequently run your SPF record through a credible online lookup tool. It runs a quick scan and shows all the problems and misconfigurations.
If you detect this misconfiguration, correct it immediately by replacing it with either -all or ~all.
- -all (Hard Fail) is the safest option as it rejects unauthorized emails outright.
- ~all (Soft Fail) marks unauthorized emails as suspicious, but they still get delivered. In simple words, these are placed in the spam folder.
Also, as a crucial step in maintaining email security, ensure that you enlist only the email servers you trust to send emails on your behalf using your domain.
