Sender Policy Framework in Brief
In the last thread of the DMARC series, we gave you an overview of the same and the authentication methods it uses. We also gave you an introduction to SPF and DKIM. In this blog, we will cover SPF in brief.
What is SPF?
Sender Policy Framework is an authentication technique that we use for mitigating email attack risks as it helps us to detect email forging and spoofing. But it has its own limitations/ boundaries and can only discover the email ID that is used by the sender and the IP records associated with it. If the DNS record matches on the receiving end, then, it authenticates the email else it is rejected. This record is one of the most vital keysets of its policy framework.
What does an SPF record do?
SPF does not see through the senders’ email address but the IP address. A Sender Policy Framework record registers the pool of IP addresses against the senders’ email server. When your email reaches the receiver’s end, the receiver starts checking the SPF record based on the DNS record and authenticates your email. When the email authentication is finished, your email is sent and is visible in the inbox of the receiver.
How does Sender Policy Framework Work?
Now, as you have got a brief overview of the SPF record, let us go deep into the technicalities of it. How does it work? Where do we configure its records and how? You will get the answers to all these questions here.
Each email has its header attached to it. When you send the email, its header includes the RETURN-PATH value of the domain. The Sender Policy Framework works by looking for the same RETURN-PATH value of the domain.
As the email reaches the receiving end, the receiving server checks this value and extracts the sender domain’s SPF record. The receiving server tries to verify the domain IP address with that of the SPF record. If both matches, the receiver server authenticates the email domain.
The receiver server checks the senders’ email address along with its IP address in the SPF record. This is done by checking the TXT record of the DNS.
Some solutions of DMARC provide you with a feature of SPF Flattening that helps you to overcome the DMARC’s 10 SPF lookup challenge.
How to implement an SPF record?
The implementation and registration of the domains in the SPF record is an easy task. If a company or an organization wants you to register their domain in your SPF record, they will send a description of their entry.
You will have to find the include: keyword and will have to copy and paste all the data written after that. By doing this, you will be creating an entry of the domain in your records.
Sender Policy Framework Record Mechanism
Domains define zero or more mechanisms. We use mechanisms to describe the set of hosts that are designated for the outbound emailers for the domain.
Mechanisms can be prefixed with one of four qualifiers:
“+” Pass: allows the host to send | accept
“-” Fail: does not allow the host to send | reject
“~” SoftFail: doesn’t allow the host it is in transit | accept but mark
“?” Neutral: nothing can be said about the validity | accept
If a mechanism results in a hit, its qualifier value is used. The default qualifier is “+“, i.e. “Pass”. For example:
“v=spf1 -all”
“v=spf1 a -all”
“v=spf1 a mx -all”
“v=spf1 +a +mx -all”
These mechanisms are evaluated in order. If the record stands unmatched, then it is evaluated as “NeutralL”. If a domain has no SPF record at all, the result is “None”. If it has a temporary error during DNS processing, you get the result “TempError” (called “error” in earlier drafts).
If syntax or evaluation error occurs (eg. the domain specifies an unrecognized mechanism) the result is “PermError” (formerly “unknown”).
This is the brief of the SPF record that DMARC uses. However, on its own, it does not provide foolproof mitigation from the email spoofing and phishing attacks. This is the reason why we use DKIM (Domain Key Identified Mail).
Both SPF and DKIM enable you to handle and mitigate the email spamming on an advanced level. We will be discussing DKIM in the next thread of the DMARC series, and you will get a brief understanding of the same.
