SPF, DMARC and, DKIM are the email security protocols used by companies or businesses to prevent various phishing attacks. Phishing and email spam are the biggest opportunities for hackers to enter the network. If a user clicks on a malicious email attachment, it can compromise an entire enterprise with ransomware, crypto-jacking scripts, data leakages, or privilege escalation exploits.
|
| Source - From the Internet |
SPF is an acronym for “Sender Policy Framework”. As with all three checks, SPF is a DNS TXT record that specifies which IP addresses and/or servers are allowed to send email “from” that particular domain. It’s essentially like the return address that’s placed on a letter or postcard that lets the recipient know who sent the communication. The idea is that if they know who sent them the letter, the recipient is more likely to open it.
Sender Policy Framework (SPF) hardens your DNS servers and restricts who can send emails from your domain. SPF can prevent domain spoofing. It enables your mail server to determine which message came from the verified domain. SPF has three major elements: a policy framework as its name implies, an authentication method, and specialized headers in the actual email that convey this information. SPF was first proposed with IETF standard 4408 back in 2006 and has been updated most recently to standard 7208 in 2014.
CHECKING FOR SPF RECORDS
|
| SPF Checker website by MX Toolbox |
- Enter the domain name and search for the records. For Example, GitHub.com.
- If you get the results in the following way that means the website has SPF records and it's safe.
|
| SPF Records of GitHub |
Create SPF Records
- The SPF version is being used.
- The IPs that are authorized to send an email for the domain.
- Any third-party domains that are authorized to send an email.
- An ending "all" tag indicates that the policy should be applied when a "receiving server" detects an IP/domain that’s not part of the SPF record.
- v=spf1 - This simply states that version 1 of SPF is being implemented. There is no other version at this point, so this should always be “v=spf1”, at least until another version is released. (If you’re curious, there was another version at one time -- SenderID -- but it’s been discontinued.)
- ip4:22.23.24.25 - This is the IP address of the mail server and/or domain that’s authorized to send an email. Multiple IPs can be used. So if your mail provider rotates IPs, all IP addresses can be listed either individually (ip4:22.23.24.25 ip4:12.13.14.15) or through a CIDR range (ip4:22.23.24.0/20). Note that both IPv4 and IPv6 addresses should be listed if any are used by the mail server.
- include:another-domain-that-can-send-email-for-us.com - This is a secondary domain that is authorized to send an email on behalf of the primary mail domain. If multiple domains are authorized, they should all be listed as separate “includes.” However, a maximum of 10 includes is allowed for any sending domain.
- all - The “all” tag basically tells the receiving server how it should handle all messages sent from a domain if it sees a domain in the header that’s not listed in the SPF record. There are a few options, and these options are dictated by the character that precedes the “all” tag. These are:
- -all (dash all) - This is a hard fail. This means that servers that aren’t listed in the SPF record aren’t recognized or authorized to send an email for the domain, so the email should be rejected by the receiving server.
- ~all (tilde all) - This is a soft fail. Basically, that means that the server isn’t listed in the SPF record, but it should not be flat-out rejected by the receiving server. Instead, the message will be marked as possible spam.
- +all (plus all) - THIS IS NOT RECOMMENDED. This tag essentially means any domain listed is authorized to send an email, even if it’s not listed in the SPF record.
%20Cover.jpg)
%20Cover.jpg)
No comments:
Post a Comment