There are a plethora of online resources discussing what SPF is and how to configure it for your domains; however finding an explanation as to why you need to configure Sender Policy Framework seems harder to find. This article explains why you not only should set up SPF, but why you need to set up SPF.
Prior to understanding the ‘why’, it’s important to consider what SPF actually does. What is it good for?
What Does Sender Policy Framework (SPF) Actually Do?
In essence, SPF provides a mechanism for domain owners to signal to email receivers from where their email originates. Without getting too technical, one of the primary reasons for using SPF is that by letting others know what are the expected, authorized domain sources of an email, it becomes easier to neutralize forgeries before they get placed in front of the recipients. Considered like this, it would seem that deploying SPF should be a simple matter: you set up a DNS record (the SPF record) that delineates your company’s email sources so that email receivers can be confident that email that claims to be coming from you is actually coming from you, and not somebody spoofing your domain, and it should just work. Pretty straight-forward, right?
Unfortunately, the real world is seldom so simple.
Some things break SPF; email forwarding and mailing lists are just two examples of common applications that break SPF because the last sending source isn’t the originator of the email (of course, there are smart people working on solutions for these as we speak, and SPF is still not only useful, but imperative to the accurate delivery of your email).
Of course, increasingly spammers and forgers have become more adept at what they do. They have evolved to send even more convincing fake messages as part of their schemes to deceive unsuspecting users. The number of cases where users are fooled by spoofed email seems to be on the rise. (For an example of where this happened very recently — and easily — causing a company to lose over $4,000,000, see this article at The Internet Patrol).
SPF is part of the response to these threats, allowing you to state emphatically that if email seems to be coming from you, but doesn’t jive with what is in your SPF record, it’s probably fake.
Why Implement SPF?
There are many reasons that you should — we would say that you must — have SPF set up, and have it set up correctly.
SPF Provides Brand Protection
When your customers receive email from your domain, they’re associating it automatically with your brand. After all, your domain name is an important part of your brand on the Internet. Along with your website and your social network presence, email is a very important channel for engaging with your customers. Just as you should implement TLS (Transport Layer Security, the successor to SSL) to protect your website, you should implement all available email authentication mechanisms, not just to keep your email stream safe, but to provide safe assurance for all of the receivers of your email.
And as importantly, providing this assurance helps to make sure that your email gets delivered to their inbox, but more about this in a moment.
SPF helps protect the email channel, reducing the threat of someone else impersonating your domain — your brand — and duping your customers. Not implementing SPF can be thought of as the Internet domain equivalent of not protecting your trademarks, a situation that jeopardizes your brand. And worse, not publishing email authentication such as SPF opens the door to a number of threats to both you and your customers, including:
- Fake email claiming to be from your billing department, “updating” the way in which payments are to be sent.
- Forged “special offers” claiming to be from your organization, inviting customers to try a new product or to sign up at a “new & improved” page.
- Account access warnings, asking customers to “identify in order to stop unauthorized activity” through a “special security portal”.
These are not hypothetical cases. Members of our own staff have assisted law enforcement in investigations involving all of these scenarios. We’ve also helped many of our customers protect against this risk by assisting them in implementing sensible email policies, including SPF. (See our information here for assistance setting up email authentication mechanisms including SPF, DKIM, DMARC, and rDNS.)
SPF Helps Thwart Company Fraud
We’ve discussed how SPF can help your customers identify and reject fake email seeming to come from your company, but what about your vendors and service providers, or even your own employees? In that article at The Internet Patrol that we mentioned above, scammers recently managed to have $4,770,226.00 transferred to their own accounts by simply spoofing email from the company’s CEO to a clerk in the the company’s accounts payable department.
While it’s nice to think that your company is immune to this, the truth is that even the most diligent staff — eager to help — are vulnerable to spoofed emails presenting a credible emergency.
What would your DNS provider do when presented with an email from “your CEO” requesting an “emergency DNS change” after hours? What about an email to your ISP requesting “application of an emergency Access Control List (ACL) to stop a malware outbreak on our network from spreading”? What if your hosting provider received an email changing hosting plans or additional capacity?
These too are real life examples with which members of our staff have assisted with investigation and mitigation (the point is, we know what we’re talking about). In none of these cases was there any SPF protection in place. Had they had them in place — which would have involved less than an hour of the companies’ time — email authentication technologies such as SPF would have reduced or eliminated the avenue of attack and prevented risks and losses to the company.
SPF Helps Get Your Email Delivered to the Inbox
Even if you are not worried about any of the above (although you should be) — in fact even if you are the most selfish, self-serving company on the planet — you will still want to make sure to have SPF set up, and set up correctly, because it helps make sure that your email is delivered to the inbox. Actually, let’s put that in even simpler terms: SPF helps make sure that your email is not sent to the spam folder or rejected outright.
Don’t believe us?
Here is a rejection message from Gmail, about why an email ended up in the spam folder:
Just last year, tech outfit ZDNet published a report indicating that, according to various online security organizations, more than half of the domains on the Internet have either incorrectly set up domain authentication, or no domain authentication at all!
In fact, security company Detectify analyzed the top 500 domains, as determined by Alexa, and found that over half of the top 500 domains in the world do not have proper authentication set up.
That means that billions of pieces of email every single day are going out without adequate authentication, such as SPF, which in turn means that those companies, and their customers, are vulnerable to spoofing attacks. And it also means that their email is as likely as not to be going to the spam folder, or entirely rejected, either because it looks like it is spoofed or, at very least, it is coming from a domain that is vulnerable to being spoofed.
Don’t be one of them.