27 Nov 2018

Sender Policy Framework (SPF)

Sender Policy Framework

Sender Policy Framework (SPF) is a method of fighting spam emails. SPF is designed to prevent forged or spoofed emails being sent by checking and validating that the sender is authorised to send email from the domain they're claiming to be from.
This is done by verifying the sender's email server before delivering legitimate email to a recipient's inbox. That way, if a spammer attempts to send email from a faked email address, the message will be rejected.

Sender Policy Framework (SPF) is an email authentication method designed to detect forged sender addresses in emails, (email spoofing), a technique often used in phishing and email spam.
SPF allows the receiver to check that an email claiming to come from a specific domain comes from an IP address authorized by that domain's administrators. The list of authorized sending hosts and IP addresses for a domain is published in the DNS records for that domain.

The sender's address and other parts of the email header are altered to appear as though the email originated from a different source. It is a common method used by attackers to gain the trust of the target and increase the likelihood of a successful attack. These emails often contain malicious links or attachments which, when opened, can compromise networks.

Why Implement SPF

·         SPF can lower the chance of malicious content reaching a network by providing protection against spoofed emails. SMTP without SPF allows any computer to send email claiming to be from anyone so it is easy for spammers to send email from forged addresses. This makes it very difficult to trace back from which system Spam comes from. On the other hand it is very easy for Spammers to fake their sender address so that the receiver trusts these e-mails.
·         SPF allows an Administrator of an Internet Domain to specify which machines are authorized to transmit e-mail from that domain.
·         You can decide whether to block, quarantine or mark incoming emails as suspicious/spam after failing SPF verification.

How to implement SPF

·         There are two sides to SPF; checking incoming mail, and (publishing) allowing others to check the mail you send. You do the former by using an SPF-enabled message transfer agent (MTA), and the latter by registering an SPF record in DNS. SPF allows you to specify which servers are allowed to send emails for your domain and makes this information available for recipients to check. The SPF entry will contain a list of domains or valid IP addresses authorised to send emails for their domain.
·         Identify SPF software compatible for your email server. A list of software can be found at www.openspf.org/Implementations. Microsoft Exchange server uses a type of SPF called "Sender ID".
·         Determine your organisation's SPF handling procedure, preferably hard fail (blocking the messages at the gateway) instead of soft fail (tagging the messages as spam but accepting them).

·         Define your outgoing mail servers and have an SPF entry for this hostname. SPF records are usually laid out in typical DNS syntax as follows: 

“ v=spf1 mx a:mailserver.domain.com -all

o   v=spf1 defines the version of SPF being used
o   mx specify your organisation’s authorised email servers
o   a: mailserver.domain.com machine that can send emails on behalf of your domain
o   -all specifies a hard fail, directing receivers to drop email sent from your domain if the sending server is not authorised.
Note: If the policy chosen is to tag suspect emails but deliver them to the intended recipient, this is done via ~all instead of -all. 

SPF Unsupported messaging systems

If a messaging system does not support SPF, it is possible to place an SPF enabled MTA in front of your unsupported systems. The only thing you have to do is to change the mail flow that all incoming mails will be sent to the SPF aware MTA. This MTA checks the e-mail and will forward it to the internal mail-system.

Note: SPF cannot detect cross-user forgery, that is, where users within a given domain forge the email addresses of others.

image source