---
title: "How do threat actors use SPF policies in BEC attacks? | DuoCircle"
description: "How do threat actors use SPF policies in BEC attacks?"
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/email-security/how-do-threat-actors-use-spf-policies-in-bec-attacks/"
---

Quick Answer

Attackers exploit SPF in BEC three main ways. First, they register lookalike domains (b00king.com to imitate booking.com) and publish valid SPF records so their phishing mail passes authentication and gains inbox placement. Second, they exploit SoftFail (\~all) configurations: many receivers still deliver SoftFail mail, so spoofed messages from misconfigured relays slip through. Third, they intentionally push SPF records past the 10 DNS-lookup limit by adding nested includes, forcing PermError and breaking validation. Defenses are: enforce HardFail (-all), keep the SPF record under 10 lookups, authorize only services you actually use, layer DKIM and DMARC alignment so a manipulated From header still fails, and train staff to verify wire transfer and gift card requests through a second channel.

How do threat actors use SPF policies in BEC attacks?

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2025/03/How-do-threat-actors-use-SPF-policies-in-BEC-attacks.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Femail-security%2Fhow-do-threat-actors-use-spf-policies-in-bec-attacks%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=How%20do%20threat%20actors%20use%20SPF%20policies%20in%20BEC%20attacks%3F&url=undefined%2Fblog%2Femail-security%2Fhow-do-threat-actors-use-spf-policies-in-bec-attacks%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Femail-security%2Fhow-do-threat-actors-use-spf-policies-in-bec-attacks%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Femail-security%2Fhow-do-threat-actors-use-spf-policies-in-bec-attacks%2F&title=How%20do%20threat%20actors%20use%20SPF%20policies%20in%20BEC%20attacks%3F "Share on Reddit") [ ](mailto:?subject=How%20do%20threat%20actors%20use%20SPF%20policies%20in%20BEC%20attacks%3F&body=Check out this article: undefined%2Fblog%2Femail-security%2Fhow-do-threat-actors-use-spf-policies-in-bec-attacks%2F "Share via Email") 

![SPF policies in BEC attacks](https://media.mailhop.org/duocircle/images/2025/03/365-to-365-migration-3656.jpg) 

[Business email compromise](https://thehackernews.com/2024/10/microsoft-detects-growing-use-of-file.html), or BEC, is a sophisticated phishing attack conducted primarily through a combination of social engineering and deception to get access to sensitive data, files, systems, networks, etc. It’s attempted mainly by impersonating a company’s C-suite, i**nstructing executives** to share data, or authorizing [fraudulent wire transfers](https://www.cbsnews.com/news/wire-transfer-fraud-scams-banks/#:~:text=Americans%20are%20losing%20millions%20of,doing%20to%20stop%20the%20scammers.). _For example- an executive receiving an email from a scammer pretending to be their boss, urgently asking them to buy gift cards and sharing the codes_. They think it’s real, but it’s actually a trick to steal money!

In the last ten years, more than [$55 billion](https://www.tripwire.com/state-of-security/bec-cost-citizens-worldwide-over-55bn-last-10-years) has been lost to BEC scams worldwide, making them one of the most financially damaging cyberattack vectors. Moreover, with the advent of **generative artificial intelligence**, [threat actors are equipped and competent](https://www.forbes.com/councils/forbestechcouncil/2024/06/14/the-weaponization-of-ai-the-new-breeding-ground-for-bec-attacks/) to draft flawless, convincing emails that are devoid of spelling errors, grammatical mistakes, unprofessional language, poor graphics, etc., which are usually considered red flags of malicious emails.

This era of sophisticated BEC attacks demands stronger defenses, and SPF SoftFail may fail to fulfill that. In fact, [cybercriminals](https://www.voanews.com/a/alleged-leader-of-cybercriminals-extradited-to-us/7741605.html) have devised tactics to exploit this **relatively weaker SPF policy** to create false legitimacy. 

Let’s dive deep into understanding how attackers manipulate [SPF](https://autospf.com/blog/spf-guide-understanding-sender-policy-framework/) policies to **bypass security measures**. 

## Understanding SPF in email authentication

SPF is an [email authentication](/resources/email-authentication) protocol that enables domain owners to specify which mail servers are authorized to send emails on their behalf. This is done via a DNS TXT record, which contains a list of approved **IP addresses and mechanisms**.

When an email reaches the recipient’s server, it first queries the [DNS TXT record](https://www.cloudflare.com/learning/dns/dns-records/dns-txt-record/) of the sending domain to retrieve its SPF policy. This record lists the **authorized IP addresses** allowed to send emails on behalf of the domain. For example, an SPF record like v=spf1 ip4:192.168.1.1 ip4:192.168.2.1 include:\_spf.paypal.com -all permits only the specified IPs and those within \_spf.paypal.com. The server then checks the actual sending IP against this list. If the IP matches, the email passes; if it doesn’t, it may be flagged or rejected based on the SPF policy. 

A strict ‘-all’ enforces rejection (HardFail), while a ‘\~all’ allows delivery with warnings (SoftFail), and a ‘?all’ takes no action. 

If an adversary tries to send a potential phishing email using a forged ‘**MAIL FROM**’ domain from an unauthorized IP address, the email will fail SPF authentication checks and be marked as spam or rejected.

Now, all major email service providers, like [Google, Microsoft, and Yahoo](https://autospf.com/blog/new-update-microsoft-joins-forces-for-stronger-email-authentication/), use SPF in tandem with [DKIM](/resources/what-is-dkim) and DMARC to fight BEC and other email-based cyber threats.

[![email-based cyber threats](https://media.mailhop.org/duocircle/images/2025/03/dkim-selector-6578.jpg)](https://media.mailhop.org/duocircle/images/2025/03/dkim-selector-6578.jpg)

## How do cybercriminals exploit SPF policies in BEC attacks?

SPF is effective in **preventing phishing and spoofing**. However, it’s not entirely foolproof, and threat actors have devised ways to exploit its loopholes. Here are some common ways they manipulate [SPF records](/resources/spf-records) to bypass [email security](/) and execute BEC attacks.

### Using SPF pass to create false legitimacy

_Bad actors register domains and deploy a correctly configured, legitimate SPF record for them so that phishing emails sent by them pass authentication filters_. This increases the **domain’s credibility, gaining trust** with [email service providers](https://www.activecampaign.com/glossary/email-service-provider) and ensuring most emails land in the inboxes of the targeted recipients. 

_In most cases, these domain names mimic some credible business names_. Threat actors buy domain names with lookalike characters or slight spelling variations that go unnoticed by users, **for example, buying b00king.com** to [impersonate booking.com](https://www.bleepingcomputer.com/news/security/clickfix-attack-delivers-infostealers-rats-in-fake-bookingcom-emails/).

Such BEC attack tactics are now encouraging businesses to buy as many lookalike or cousin domains as possible to preemptively prevent cybercriminals from exploiting their **brand name online**. 

[Read here how a Chinese venture capital firm lost 1 million dollars when a cybercriminal used fake domains.](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/bec-scam-successfully-steals-us-1-million-using-look-alike-domains?utm%5Fsource=chatgpt.com) 

### SPF SoftFail and HardFail bypass

Organizations often misconfigure SPF with SoftFail (\~all) instead of **enforcing HardFail (-all)**, allowing unauthorized emails to be delivered even if they fail SPF checks. Some [mail servers](https://www.techtarget.com/whatis/definition/mail-server-mail-transfer-transport-agent-MTA-mail-router-Internet-mailer) accept SoftFail emails, assuming they are from legitimate but unverified sources, which attackers exploit.

This way, threat actors take advantage of **third-party email accounts** or misconfigured relay servers to send phishing emails that easily bypass authentication filters.

### Exceeding SPF lookup limits

RFC has imposed a limit of a maximum of 10 [DNS lookups](https://www.digicert.com/faq/dns/how-does-dns-lookup-work) per SPF record. If an SPF record exceeds this limit, the validation process fails. Attackers intentionally exploit this limit by **adding multiple ‘include**:’ statements to the targeted domain’s SPF record, triggering an SPF validation failure. 

## How to prevent SPF-based BEC attacks?

Business owners need a **multi-layered defense strategy** to protect their brands from BEC attacks. Here are the key defenses that can help fortify the risks.

### Implement strict SPF policies

**SPF’s effectiveness depends** on which policy you have set. Organizations often misconfigure [SPF with SoftFail](/what-is-spf-softfail) (\~all), allowing unauthorized emails to be delivered instead of rejected. This creates an entry point for cybercriminals, as many mail servers still accept SoftFail emails.

Setting your SPF record to HardFail instead of SoftFail **provides optimum protection** against targeted BEC attacks. This ensures that unsolicited and [illegitimate emails](https://www.linkedin.com/pulse/illegitimate-emails-protect-yourself-indigo-it-limited) are rejected outright.

Moreover, only authorize services that are necessary for business operations (e.g., **Microsoft 365, Google Workspace**). Overly permissive SPF policies increase the attack surface.

### Using SPF in tandem with DKIM and DMARC

_SPF is not enough when it comes to darting off from BEC attacks targeted towards your company_. This is because it’s possible to manipulate an email’s ‘From’ field to impersonate a **trusted sender and bypass** SPF verification checks. This is why DKIM and [DMARC](https://dmarcreport.com/) should also be a part of your defensive toolkit.

DKIM adds a [cryptographic signature](https://www.ibm.com/docs/en/food-trust?topic=automation-cryptographic-signatures) to verify email integrity, ensuring the email was not altered in transit. Attackers cannot easily forge **DKIM-protected emails**. DMARC, on the other hand, allows you to define how an email server should handle SPF or DKIM failures. You can instruct to either mark such emails as spam or reject them outright.

[![Marked as Spam or Rejected ](https://media.mailhop.org/duocircle/images/2025/03/phishing-protection-9086.jpg)](https://media.mailhop.org/duocircle/images/2025/03/phishing-protection-9086.jpg)

### Employee awareness and email security training

Even with the best email authentication policies, BEC attacks often succeed due to human error. Attackers use [social engineering](https://thehackernews.com/2025/02/ai-powered-social-engineering.html) tactics to manipulate employees into approving fraudulent transactions, sharing sensitive data, or [clicking on malicious links](https://www.mcafee.com/blogs/internet-security/what-are-the-risks-of-clicking-on-malicious-links/). Training employees to recognize suspicious emails is just as **critical as securing** [email infrastructure](https://www.voilanorbert.com/blog/email-infrastructure/).

Educate them on common BEC tactics, such as [CEO fraud](https://www.trendmicro.com/vinfo/mx/security/news/cyber-attacks/unusual-ceo-fraud-via-deepfake-audio-steals-us-243-000-from-u-k-company), [invoice scams](https://www.infosecurity-magazine.com/news/cybercriminals-exploit-docusign/), and urgent wire transfer requests. Also, encourage them to **double-check sender details** and use alternate communication channels, like phone calls, to confirm requests.

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  Email Security 8m  BIMI in 2026: What the Certificate Authority Does, and What Your DMARC Tool Does  May 5, 2026 ](/blog/bimi-2026-what-the-ca-does-what-your-dmarc-tool-does/)[  Email Security 8m  Designing A Custom Dkim Architecture For High-Volume Email Senders  Apr 28, 2026 ](/blog/designing-custom-dkim-architecture-for-high-volume-email-senders/)[  Email Security 12m  DMARC, SPF, and DKIM in 2026: Why Email Authentication Is Now a Regulatory Requirement, Not Just a Best Practice  Apr 29, 2026 ](/blog/dmarc-spf-dkim-2026-email-authentication-regulatory-requirement-best-practice/)[  Email Security 5m  Email Monitoring Tools: A Complete Guide to Protecting Your Email Ecosystem  May 7, 2026 ](/blog/email-monitoring-tools-guide-protecting-your-email-ecosystem-security/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"How do threat actors use SPF policies in BEC attacks?","description":"How do threat actors use SPF policies in BEC attacks?","url":"https://www.duocircle.com/blog/email-security/how-do-threat-actors-use-spf-policies-in-bec-attacks/","datePublished":"2025-03-21T16:23:28.000Z","dateModified":"2025-04-08T15:33:50.000Z","dateCreated":"2025-03-21T16:23:28.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/how-do-threat-actors-use-spf-policies-in-bec-attacks/"},"articleSection":"email-security","keywords":"","wordCount":1067,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/03/365-to-365-migration-3656.jpg","caption":"SPF policies in BEC attacks","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Email Security"},{"@type":"ListItem","position":3,"name":"How do threat actors use SPF policies in BEC attacks?","item":"https://www.duocircle.com/blog/email-security/how-do-threat-actors-use-spf-policies-in-bec-attacks/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Email Security","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"How do threat actors use SPF policies in BEC attacks?","item":"https://www.duocircle.com/blog/email-security/how-do-threat-actors-use-spf-policies-in-bec-attacks/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"How do threat actors use SPF policies in BEC attacks?","description":"How do threat actors use SPF policies in BEC attacks?","url":"https://www.duocircle.com/blog/email-security/how-do-threat-actors-use-spf-policies-in-bec-attacks/","datePublished":"2025-03-21T16:23:28.000Z","dateModified":"2025-04-08T15:33:50.000Z","dateCreated":"2025-03-21T16:23:28.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/how-do-threat-actors-use-spf-policies-in-bec-attacks/"},"articleSection":"email-security","keywords":"","wordCount":1067,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/03/365-to-365-migration-3656.jpg","caption":"SPF policies in BEC attacks","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```