What is… SPF?

What isEmailSpamSPFSpoofing

SPF is short for Sender Policy Framework, and it can help you get rid of spam and phishing emails without even looking at the email content.

Welcome to our What is… series,
where we turn technical jargon into plain English.

SPF is short for Sender Policy Framework.

SPF allows an organisation to make a public declaration about which servers are authorised to send email on its behalf, thus – in theory – making phishing emails from imposters easier to spot.

Creating bogus emails is, unfortunately, very easy: when I send you an email, I can identify myself however I wish, using special email headers known as Originator Fields, for example:

From: Paul Ducklin <paul@acme.example>
Sender: Paul Ducklin <paul@acme.example>
Reply-to: Paul Ducklin <paul@acme.example>

These headers are entirely up to me – they’re sent just in front of the actual content of the message – so I can claim to have any name I want, and an email address at any company I like, to give myself an air of legitimacy I don’t deserve.

For example, if I know you’ve recently bought products from a company called Big Corp, and I know by looking on Big Corp’s website that the sales manager in your region is Steve Meone, I could adjust my email headers to look like this:

From: "S. O. Meone" <someone@bigcorp.example>
To: Your Name Here <you@example.com>

Dear Your Name,

As an existing customer, you'll be delighted to know that one of our
partners is currently offering 25% off next year's subscription:

[. . . bogus web link here . . .]

Best regards,

Steve Meone

If this message reaches your inbox, it will look much more believable than a spam sent via a free webmail service, or from a company or country you’ve never heard of.

This trick is known as spoofing.

So, SPF allows your email server to ask the internet, “Where is email claiming to be from bigcorp.example supposed to originate?”

By checking that emails came from authorised sending servers before accepting them in the first place, your own email gateway can throw away spoofed messages that are pretending to be from companies that didn’t send them .

If you know up front that an email came from an imposter, you don’t need to waste time examining the email and its attachments for spam, phishing, malware or other cybercriminality – you can discard it immediately.

Pros of SPF

  • SPF checks are quick and easy, and can speed up the process of blocking spam.
  • Publishing proper SPF data for your own organisation shows that you care about security.

Cons of SPF

  • Many companies have missing, incomplete or inaccurate SPF data, which reduces the effectiveness of the system.
  • Being strict about SPF checking may stop you receiving emails from some customers and prospects.

3 Comments

Generally SPF can be a bit of a hassle to get right, but once done it’s a great benefit. One analogy I like to use when explaining it is that it’s like writing the sender address on the back of a letter sent via snail-mail. Anyone can write anything they want. SPF is the equivalent of checking the postmark to ensure it originated from an authorised mail centre.

One gotcha to watch out for though is the 10 DNS lookups limit. Many companies will have mail originating from more than one source, and this can cause a few problems with nested SPF records. For example, let’s assume some company uses a service called acme.example – this requires “include:acme.example” to be added to the SPF record which counts as one DNS lookup, but the SPF query on this then includes “include:spf-a.acme.example include:spf-b.acme.example” which is another two DNS lookups, totalling three just for this service. When you then add other mail systems with their nested DNS lookups, it’s quite easy to approach the limit of ten.

[Comment edited to use generic example names]

Reply

We should probably do a more technical piece on SPF over on our sister site Naked Security – the What is… articles are meant to be make up a sort-of “expanded glossary” without getting stuck into the detail.

For non-technical readers, what the OP is saying is that when a company lists its official mail servers via SPF, it may include a list of third-party servers, e.g. mailing lists, marketing services, that it has authorised to speak on its behalf; those servers will authorise additional lists of servers, and so on.

Following the SPF specifications to the letter requires that you limit the number of nested lookups to 10 )strictly speaking, it’s not the number of actual lookups that is limited, but the “nesting complexity” of the SPF data) to prevent runaway SPF queries that end up being more complicated that just scanning the whole email for spam and malware anyway.

(Of course, if a company has such an extensive “tree” of authorised mail servers from a wide variety of third-party sources that it fails the SPF lookpu complexity limit…

…tben it can’t really vouch for the servers that send its mail anyway.)

Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.