SPOOFING CAN BE A SERIOUS THREAT TO YOUR BUSINESS, ARE YOU WILLING TO PROTECT YOURSELF?
If you have been in any way became a victim of spoofing, or been asked “why my email address being spoofed?” First, for those of you who have a minimum or no idea about the term email spoofing is – here’s the definition.
A tactic used to create email messages with a forged sender address. The sender purposely alters a few parts of the email to masquerade as though it looks like it comes from someone or somewhere it does not.
The danger behind email spoofing
- A poor reputation of your business’s mail domain
- Can invite legal challenges for your business
- Your mail domain can be a source of email addresses for spammers
- Your mail server can be blacklisted
Protect from email spoofing
The best practice to stop email spoofing is to add an SPF (Sender Policy Framework) record, a type of Domain Name Service (DNS) that identifies the mail servers that are permitted to send an email from your domain. Consider ways to reduce your business email fraud and improve security using latest Cloud Technologies.
Prevent spammers creating an SPF record
The purpose of an SPF record is to prevent spammers sending messages with a forged ‘From’ addresses at your domain. Recipients can refer SPF record to determine whether or not a message purporting to be from your domain is from an authorized mail server. For instance, let your domain, example.com uses Officee65 mail service. You create an SPF record to identify the O365 mail servers as the authorized mail servers for your domain. When a recipient’s mail server receives a message from email@example.com, it can check the SPF record, example.com to determine whether it is a valid message or not. If the message comes from a server other than the O365 mail servers listed in the SPF record, the recipient’s mail server can reject it considering as spam. If your domain does not have an SPF record, some recipient domains may reject messages from you, because they cannot validate if a message comes from an authorized or unauthorized mail server. If you’ve already set the SPF record for your domain, it means, you have set O365’s servers in the SPF records.
- If you have an existing SPF record, you can update it to authorize an additional mail server
- Do not create multiple SPF records until it is necessary because the creation of multiple SPF records may cause authorization problems
How to find SPF record of your domain from command line?
The SPF record is stored within a DNS database and is bundled with the DNS lookup information. You can manually check the Sender Policy Framework (SPF) record for a domain by using nslookup as follows:
- Open Command prompt (Start > Run > cmd)
- Type “nslookup -type=txt” a space, and then the domain/host name. e.g. “nslookup -type=txt google.com”
- If an SPF record exists, the result would be similar to: “v=spf1 ip4:18.104.22.168/19 -all”
- If there are no results or if there is no “v=spf1” property, there is a problem retrieving the record for the domain, or one does not exist
How to read the SPF record?
- “v=spf1” – shows that the record is of type SPF (version 1)
- “ip4:22.214.171.124/19” – lists the IP network range of servers allowed to send emails for the domain. This may look similar to “mx:126.96.36.199” which indicates the ip address for the MX record (email server). Usually, there will be either “ip:” or “ip4:” listed
- “-all ” is the part of the record that indicates what is recommended to do if the sending IP address does not match with the record. This is determined by publisher of the SPF portion to the DNS record, such as the owner of the domain. For example: if you want to ensure that people do not forge your domain, you will have to put a “-all” to indicate that if any portion of the sending email does not match the record, you recommend the recipient server to reject the email. This is referred as a hard fail
- Types of rejection levels:
- -all (reject or fail them – don’t deliver the email if anything does not match)
- ~all (soft-fail them – accept them, but mark it as ‘suspicious’)
- all (pass regardless of match – accept anything from the domain)
- ?all (neutral – accept it, nothing can be said about the validity if there isn’t an IP match)
Most records will have a “~all” listed in the SPF record, because the domain owner leaves a room for the possibility of a new server getting created and might forget to update the SPF record with the new IP address of that server. This also allows regular machines to send email without causing too much of an interruption. Very large domains such as gmail.com have “?all” in their records to leave it up to the recipient, determine what to do with an email when received. For authoritative information on SPF record syntax, visit this page –http://www.openspf.org/SPF_Record_Syntax
Understanding SPF Compliance
To get your compliance rate, you will need to check feedback from your recipients. Once you understand the issues, you can consider how to improve compliance:
- Take a note of IP addresses and domains that are low in compliance
- For each IP address and domain, investigate its origin • Check if the domain or email partner hasn’t been included in your SPF record. Often, CRMs, Email Marketing, Marketing Automation, Order Management and Customer Support/Ticketing Systems send emails on your behalf • Identify whether the IP address belongs to a new email partner or an existing partner. Partners may add a new IP range from time to time • Find out whether the IP address belongs to a forwarder that one your partners use? Forwarders are difficult to track, however, you may need to investigate or change your contract terms
- For valid IP addresses and domains, add them to your SPF (or negotiate with the department that hired them to stop using that service)
- For invalid IP addresses, there are options you can take through Domain Message Authentication Reporting & Conformance (DMARC), instruct your recipients to reject SPF-non-compliant email.
SPF Compliance requires regular review of your DMARC digests and statistics. Doing so will eventually improve your email delivery and your online reputation.
Stay tuned for more info about DMARC & DomainKeys Identified Mail (DKIM) in the next post.