SPF- Avoid Overly permissive All Terms

Overly permissive ‘all’ terms

SPF

+all your domain are belong to them

When you allow email to be sent on behalf of your domain by anyone anywhere,
then your domain does in a sense belong to anyone who wants it.
A common error made by organizations in setting up their SPF records is the use of an overly permissive
all term. This effectively allows every IP on planet Earth to send emails as anyone in your organization.
Then your employees, customers, vendors, and well, everyone are vulnerable to phishing attacks and nothing good for your brand reputation can occur from this.

The all term, like other so-called SPF mechanism terms have a qualifier
property symbolized by exactly one of these four characters: +, ?, ~, .
A concise summary of qualifier meanings is given in the following table.

qualifier match result explanation
+ pass The client sender is authorized to send mail on behalf of the domain.
? neutral No assertion is to be made about the client sender. This is effectively a ‘none’ result.
~ softfail Somewhere between rigorous ‘fail’ and an apathetic ‘neutral’, the client
sender is not authorized to send email on behalf of the domain
however the message should probably not be rejected based on the lack
of SPF authorization.
fail The client is not authorized to send email on behalf of the domain.

An all term without a qualifier will default to +all, while a record without
either an all or redirect term will default to ?all.
For example, the record

“v=spf1 all”

is identical to

“v=spf1 +all”

This essentially declares that everybody is free to abuse the reputation of a domain by sending
email on their behalf. Similarly,

“v=spf1”

without an all term is the same as

“v=spf1 ?all”

thus declaring ‘meh, send emails from our domain or whatever, we don’t care’.

Obviously, either of these defaults weakens the email security of your organization.
The minimal standard for an all term should be the soft failing ~all.

Combined with DMARC intelligence…the organization can move toward a stricter -all.

Fraudmarc can help you with all of your email security protocol needs.

Fraudmarc’s intuitive tools help with managing and monitoring as many authorized senders as required for your business. Fraudmarc continuously monitors and updates SPF records using SPF Compression, so the number of DNS lookups needed to authenticate all of your authorized senders is minimized. Fraudmarc simplifies management of SPF, as well as DKIM and DMARC, with user-friendly tools and recommendations. In addition, Fraudmarc’s offers free DMARC reports, so you will have the tools and information you need to configure your policies accurately.

Don’t leave your domain and your brand reputation unprotected; take control of your email reputation!
Previous Post
BridgeCommunity and Email Authentication

Related Posts

No results found

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu