Prevent Spoofing And Phishing By Studying An SPF Record Example

Sender Policy Framework (SPF) is an email authentication method that helps organizations prevent phishing and spoofing attacks. When an SPF record has been set up for a particular address, the receiving server matches the sender’s IP address to registered authorized IP addresses for that domain. If these IP addresses do not match, then the receiving server takes action against the email according to predetermined rules.

sender policy framework

How the Sender Policy Framework Prevents Email Spoofing

Adversaries spoof emails by forging the sender addresses of legitimate organizations and users. The core protocols behind email do not possess any authentication mechanisms for preventing this. Attackers can, thus, easily spoof emails.

When an SMTP email is sent, two pieces of information about the address are provided by the initial connection:

MAIL FROM

No checks are done to see whether a sender is authorized to send an email from an address. It is generally shown to the recipient as “Return-path: header,” however it is usually not visible.

RCPT TO

RCPT TO specifies the recipient email address and may be present in the received header.

By default, the sending system does not carry out checks on whether a sender is authorized to send emails on behalf of that address. Spoofers can thus forge an email address. However, SPF can prevent this. With SPF, domain owners create an SPF record and publish it in the DNS. The SPF record contains the IP addresses that are allowed to send email addresses from that server or domain.

Whenever an email is sent, the recipient email server checks if an SPF record is available with the sender. If available, then the sender’s IP address is verified against that of the owner of the email domain. If the IP address in the SPF records and the sent IP address matches, the email message is delivered to the inbox. Action is taken against it otherwise.

Understanding SPF Record Syntax by Considering Examples

Consider a case with the following SPF Record Example where an email Failed Authentication:

“v=spf1 ip4:152.163.0.1 ip4:191.162.0.1 include:spf.protection.outlook.com -all”

Here is SPF record syntax,

  • v=spf1 defines the TXT record as an SPF record.
  • ip4 shows that IP version 4 addresses are being used.
  • The IP addresses are added to the SPF TXT records and are often the addresses of outbound mail servers.
  • The domain name is the domain of the legitimate sender.
  • Enforcement rules are hard fails (-all), soft fails (~all), or neutral (?all). A Hard fail prevents emails from getting delivered, but other rules deliver them.

If an email comes from any address other than ip4:152.163.0.1 ip4:191.162.0.1, say ip4:177.153.0.5, it would undergo a hard fail.

spf record
spf record example

How To Prevent Errors With SPF Record?

Checking an SPF record before implementation helps prevent issues while updating them. To test and validate an SPF record, users can make use of several online tools. These tools will not only validate a record but will also highlight all issues with it. For example, these tools can help remedy common errors such as “550 rejecting for sender policy framework.”

SPF prevents all illegitimate email messages sent from unauthorized sources. It is a practical yet simple to implement technology, and anyone can look up how to create SPF records online quickly if they face any issues. Popular domain managers such as GoDaddy are also compatible with widely used office suites such as Office 365, making it easier to set up sender policy framework – Office 365.

Join the thousands of organizations that use DuoCircle


Find out how affordable it is for your organization today and be pleasantly surprised.

Interested in our Partner Program for MSPs and VARs? Visit Our MSP Partner Program.

Pin It on Pinterest