Cyber Security Blog

Sender Policy Framework and its Place in the DMARC Universe

Written by Chris Payne | 30 January 2018

The guest list of the email security world, SPF (Sender Policy Framework) is an absolute must for any organisation. Easy to implement and maintain, it not only provides security in its own right but also is used in more advanced email security solutions such as DMARC (Domain-based Message Authentication, Reporting & Conformance). 

What is SPF?

You can imagine SPF to be a white list, populated with a list of all the locations that are permitted to send email on behalf of you. This list would contain things such as:

  • Your email servers.
  • External services sending emails on your behalf.
    • CRM systems.
    • Marketing automation platforms.
    • Cloud based email systems.
    • Third-party hosted websites.

This list is placed into public or external DNS as an SPF record, see example below:

Example SPF: "v=spf1 a:mail.example.com ip4:200.12.45.120 a:external.com -all"

When an email is sent to a recipient server, the recipient server checks the sender's domain (in this case your domain), lookups the corresponding SPF record and checks to see if the email has been sent from a domain listed in the SPF record. If it is, the email is assumed to be from a legitimate source; if not, then the email is assumed to be spoofed and will be handled by the recipient server accordingly.

The beneficial outcome to this scenario is simple, by prescribing where emails can come from, spoofed sources are identifiable and their emails prevented from arriving at the recipient mailbox.

Challenges with SPF

There are two main challenges to be aware of when using SPF.

  1. RFC7208 permits only 10 SPF look ups. What this means is that in the example above we have an A record for mail.example.com and an A record for external.com. When external.com is included, it also includes the SPF record for that particular domain which in turn could have its own A records. Each of these are considered look ups.
  2. SPF records cannot exceed 255 characters, sometimes restricting the number of entries it can contain. One fix to get around this is to include look ups which expand to include the additional entries needed.

SPF and DMARC

SPF is a great tool for preventing spoofing and emails being sent from illegitimate sources, however it provides no reporting capabilities. You are unable to see how often and when your email domain is being misused.

This is when DMARC should be applied. DMARC is another DNS record that instructs recipient servers on how to handle SPF failures; and how to report them. Reports are sent to a nominated email address defined in the DMARC record. Giving you full visibility of misuse and shadow services being used by other departments to send email. Critically, because SPF can affect your email deliverability rate, DMARC is critical in the application of SPF.

If you would like to learn more about DMARC and SPF, you can download our complimentary DMARC mind map by pressing the button below.