I will start the introduction of this 3rd article on SPF with some figures:
- Almost 1 out of 2 CAC40 companies uses an SPF record with a "-all" qualifier (highest security level for SPF) !
- Only 23% of the TOP 100 E-Commerce companies also use a "-all" qualifier!
In the end, few companies are taking the step of tightening their SPF security policy on their domain. When we know the impact of spam and phishing on companies, it might be time to change the game and protect each domain more efficiently with a high level of security on all available authentication systems. That's why I decided to write this new article ????
Protect your domain and fight against spam and phishing
On the latest study "State of the phish 2020"by Proofpoint (Leading company in securing email flows in large companies)55% of companies experienced at least one phishing attack in 2019. This figure shows that no company is safe from having its domain name used by a third party to send spam (we knew that at one time ????) or to have the personal data of its customers collected...
In addition to protecting its brand identity, securing your domain name will also protect your employees and customers/prospects from possible spam/phishing attacks (without forgetting the fact that it is also important to train your teams to identify this spam/phishing to avoid falling for it).
Keep in mind that the SPF record is only valid on the domain where it is implemented, so if you use subdomains, you will have to deploy it everywhere. Always remember that a domain (or sub-domain) unprotected will be vulnerable to spam and phishing attacks.
Advantages and disadvantages of the "-all" qualifier
As I mentioned in my first article on SPFthere are 4 qualifiers which will define the rule that will be applied by the ISP/Webmail:
- ~ : Slight failure (softFail)
- - : Failure (Fail)
- + : Valid (Pass)
- ? : Neutral (Neutral - None)
The one we are interested in here is the "-all" qualifier which will allow the email to be rejected in case of SPF failure (in case the ISP/Webmail knows how to interpret SPF) and thus prevent illegitimate mail from being delivered to your employees/customers/prospects.
This qualifier will give you a nice advantage... but also a big disadvantage:
(+) If a malicious person tries to send e-mails from your domain with an IP that is not declared in your domain's SPF record, their attempt will fail.
(-) If you forgot to declare an IP in your SPF record, any legitimate email sent with that IP will not be delivered.
Define a deployment plan to change SPF to "-all
While the risk of forgetting an IP is real and can occur, it can be limited by adopting a deployment plan to gradually increase the security level of your SPF record without being scolded by the marketing manager.
- Step 1 Listing of all IPs (or sources) used by the domain.
- Step 2 SPF integration with the "~all" qualifier (SoftFail) + DMARC integration for tracking.
- Step 3 Increased monitoring of all DMARC reports received from ISPs/Webmails to check if one or more IPs have been missed. This monitoring can last several weeks/months (it will depend on your sending frequency).
- Step 4 : Correction of the SPF record (if an IP has been forgotten)
- Step 5 Upgrade SPF record with qualifier to "-all (Fail).
- Step 6 Monitoring of all DMARC reports received from ISPs/Webmails to verify that everything is ok + detection of illegitimate traffic.
Let's not kid ourselves. DMARC here will be your best friend/ally to make sure you don't forget anything. If you haven't set it up yet on your root domain, feel free to consult the article I had written on the subject.
On paper, there is nothing complicated and yet few do it... Is it due to a question of priority (task detected as minor compared to other projects in the company)technical knowledge (the ISD doesn't know the subject and so we ignore it)of time (the ISD is under water) ? Feel free to give your opinion in the comments ????
I hope that this series of 3 articles on SPF will help you to better understand, understand and give you the desire to dive into it if it is not yet the case ????
Article #1: What is SPF? Configuration, verification and monitoring. Article #2: 10 tips to implement in your SPF configuration...