What is SPF record good for? | Part 7#17

Page 1 of 20 | What is SPF record good for? | Part 7#17

Written by Eyal Doron | o365info.com

WHAT IS SPF RECORD GOOD FOR? |

PART 7#17

The current article is focused on explaining the purpose of the

SPF record and, how does the SPF record enable us to prevent

a scenario in which hostile elements, could send E-mail in our

behalf.

The next article – Implementing SPF record | Part 8#17 , focus

on the “technical side” of the SPF record such as: the structure

of SPF record, the way that we create SPF record, what is the

required syntax for the SPF record in Office 365 environment +

Mix mail environment, how to verify the existence of SPF

record and so on.

http://o365info.com/what-is-spf-record-good-for-part-7-17

https://il.linkedin.com/in/eyaldoron1

http://o365info.com/

http://o365info.com/implementing-spf-record-part-8-17



The purpose of the SPF record

There are two main objectives for using SPF record:

1. Try to prevent a scenario, in which spammer will send E-mails using our

domain name (a specific organization E-mail address) by using his mail

server. In other words: a scenario in which the spammer’s mail server is

introduce himself as “our legitimate mail server”.

2. Preventing a scenario, in which a destination mail server will block

E-mail that sent from our organization or “stamp” our organization mail

with a high spam score level because a spammer is “distributing E-mail”

using our organization user’s identity (using an E-mail address of our

recipient organization).

Issues that relate to SPF record.

We can classify that scenario of “problems that relate to SPF record”

into two main areas:




http://o365info.com/what-is-spf-record-good-for-part-7-17/?preview=true&preview_id=15079&preview_nonce=b6aaaad7fa&post_format=image#SUB-1



1. Lack of SPF record – a common scenario, in which the organization

don’t use and SPF record. The main reason is – lack of awareness to the

big impertinence of using SPF records.

2. Miss configured SPF record – an existing SPF record that was

configured with incorrect syntax or doesn’t include the “full

information” about all the mail server that represents the specific

organization.

Why do I need to use SPF record?

Ensure our E-mail message reliability

The use of SPF record is very important in a modern mail

environment because, SPF record enables us to set the level of

“reliability” of an E-mail message that sent “from our organization”

meaning: E-mail message was sent from our legitimate mail server.

The purpose of the SPF record is to enable organizations to publicly

“declare” who are the mail servers, which are authorized to send mail

on behalf of the organization (for a specific domain name).






The destination mail server, which accepts E-mail message that

includes our domain name (E-mail address with our domain name),

can verify if the mail server that “deliver” the E-mail message is

entitled or, authorized to represent the specific domain name.

The destination mail server verifies this information by looking for at

the organization SPF record, which should include a list of all of the

authorized mail servers that represent the specific domain name.

In case that the “source mail server” doesn’t appear as listed in the

SPF record, the “destination mail server” (the mail server that

spouses accept the E-mail message and forward the E-mail message

to the destination recipient) can decide if he agree to accept the

E-mail or “block” the sending mail server.

A scenario in which we don’t use SPF record or, a scenario in which

we sent mail by using a mail server that doesn’t appear on the SPF






record that represents our domain name, could lead to a significant

reduction in the “reliability grade” of E-mail that is sent by our

organization users.

In other words: an outcome in which our organization mail will be

identified as spam\Junk mail.

Prevent spoofing scenario

In a modern mail environment the scenario of: “spoofing” is very

common and very popular.

The reason for this “popularity” of the spam phenomenon is because

that the SMTP mail protocol was created, based on the assumption

that the parties that want to communicate using E-mail message are,

“legitimate players”.

The reality is a little different and many times, hostile elements such

as spammers, use the basic SMTP option for “presenting themselves”

as some else (impersonation).






For example: in a standard SMTP session between two mail servers

(the source and the destination mail server), when server A connects

server B and ask him to forward

An E-mail message to a recipient who is hosted on mail server B, mail

server A, present himself as the representative of the source

recipient.

By default, server B (the destination server) is supposed to believe to

server A (believe that he is the true representative of the source

recipient).

The SPF record, was created for preventing a scenario in which

spammer, fake his identity and, pretend to be the “legitimate mail

server” of a specific organization.

In our example, the spammer’s mail server, present himself as the

legitimate mail server that sends E-mail “on behalf” the domain:

o365info.com

In the following diagram, we can see such a scenario, in which hostile

elements try to send E-mail message to the destination recipient and

the mail server of the hostile elements “declare” that the message

was sent by a recipient’s name: [email protected]






Q1: What is SPF stand for?

A1: SPF stands for Sender Policy Framework

Q2: How does the SPF record is implemented?

A2: By publishing a TXT record in our public DNS that includes pre-

defined structure + information about the mail server that are

authorized and “approved” to send E-mail on behalf of our

organization.

Q3: What is the information that is included in the SPF record?

A3: The SPF record includes information about the mail server

names or IP address that represents a specific organization (domain

name) and can send an E-mail on behalf of the organization.

Note – the SPF record syntax includes additional options for “pointing

out” the legitimate mail server, such as using the MX or the A record

option.






For example, when using the MX option in the SPF record, the

meaning is that all the mail servers who appear “under” the MX

record of a specific domain name, considers as “authorized” mail

server that can send E-mail on behalf of the specific domain.

How does the SPF record prevent a spoofing

scenario?

To be able to demonstrate the way in which the use of the SPF

record prevents a spoofing, let’s use the following scenario:

A hostile element (spammer) wants to distribute spam mail, hide his

identity and impersonate his identity by using the identity of a

legitimate organization that uses the public domain name:

o365info.com

The spammer, is going to “present himself” using the recipient name

(E-mail address): [email protected]






Step 1: sending E-mail message on behalf of the legitimate

recipient

In the following diagram, we can see that the spammer’s mail server

connects the destination mail server, and asks him to forward email

messages to the destination recipient.

The destination mail server “see” that the IP address that is used by

the “source mail server” (the spammer’s mail server) is:

100.100.100.100

Pay attention that the “real mail server” that represent the

organization: o365info.com, use different IP address: 212.25.80.239






Step 2: Destination mail server, check SPF record.

In our scenario, we assume that the E-mail policy that is used by the

“destination mail server” is configured to check the SPF record of the

“source mail server”.

The “destination mail server” query DNS server and ask for the SPF

record of the domain: o365info.com

In our scenario, the SPF record “say” that the “formal mail server”

that represents the domain: o365infpo.com is: 212.25.80.239

Step 3: Destination mail rejects the E-mail message.

The spammer’s mail server is the IP address: 100.100.100.100

Because the SPF record for the domain: o365info.com doesn’t include

this IP address; the mail server will reject the E-mail message from

the spammer’s mail server.






Important note – the “real world” is a little more complex. In reality,

there could be many other scenarios.

For example: in case that the “destination mail server” is not

configured to check the existence of SPF record, he will accept the E-

mail message that was sent by the spammer.

Another possible scenario could be that the “destination mail server”

will agree to accept the E-mail message, although the IP address of

the “source mail server” (the spammer’s mail server) doesn’t appear

in the SPF record but, will “stamp” the E-mail message as a

“problematic” or dangerous E-mail message.

“Problems” that relates to SPF record

Q: What are a possible scenario of “problems” that relates to SPF

record?

A: An example for a “problems” that relates to SPF record could be:






1. Lack of SPF record – A scenario in which the organization doesn’t use

SPF record.

2. More than one SPF records – a common mistake, in which the DNS

includes two or more SPF records. The outcome is: “unknown results”.

Some of the mail server will relate only to one SPF record and some

mail server, will refuse to accept mail because the SPF record is not

configured correctly.

3. SPF record that is configured improperly SPF record is based on very

strict “syntax rules” that dictate how to “construct” the SPF record. In

some cases, the SPF record includes a syntax error. In this case, we are

dealing again with the realm of: “unknown results”.

4. SPF record that doesn’t include information about all the organization’s

mail servers.

Any of this “issues”, could lead to a scenario in which external mail

server will block mail that is sent by a user’s from our organization

(users whom their E-mail address includes our public domain name).

Mixed mail environment example

An example of a scenario: “SPF record that doesn’t include

information about all the organization’s mail servers” could

be: Hybrid environment, that is based on two separated mail

infrastructures: the Office 365 mail infrastructure (Exchange Online)

and the Exchange on-Premises mail infrastructure.






In this scenario, an E-mail message could be sent from the booth of

this mail infrastructures (depend on the physical location of the user

mailbox).

In a scenario of: “two separate mail infrastructures”, the SPF should

contain “pointers” to the separated mail infrastructure.

In simple words: the SPF record should “declare” that mail that is

sent by the Exchange Online mail servers + mail that sent from the

Exchange on-Premises mail server\s consider as a legitimate mail.

In case that the SPF record value that we have configured doesn’t

include information about the Exchange on-Premises server. Each E-

mail that will be sent by the Exchange on-Premises server have the

Potential to be identified as spam\junk mail.

Note – you can read more detailed information on the SPF record

syntax in the article – Implementing SPF record | Part 8#17







Q: in a scenario of a problem in SPF record, what are the possible

“responses” of the target mail server?

A: It’s important to emphasize that in a scenario of: “problems that

relate to SPF record”, the “response” from the destination mail

server, cannot be predictable.

The reason is that each mail server, use or implement a different

mail security policy.

Some of the mail servers are more “forgiving” to a scenario of luck or

a problem with the SPF record and, some of the mail servers are

stricter.






Internal \ outbound spam in Office 365

environment | Article series index

A quick reference for the article series

My E-mail appears as a spam | Article

series index | Part 0#17

The article index of the complete

article series

Introduction to the concept of internal \ outbound spam in general

and in Office 365 and Exchange Online environment

My E-mail appears as a spam –

Introduction | Office 365 | Part 1#17

The psychological profile of the

phenomenon: “My E-mail appears as

a spam!”, possible factors for causing

our E-mail to appear a “spam mail”,

the definition of internal \ outbound

spam.

Internal spam in Office 365 –

Introduction | Part 2#17

Review in general the term: “internal \

outbound spam”, miss conceptions

that relate to this term, the risks that

are involved in this scenario,




http://o365info.com/my-email-appears-as-a-spam-article-series-index-part-0-17/My%20E-mail%20appears%20as%20a%20spam%20%7C%20Article%20series%20index%20%20%7C%20Part%200#17

http://o365info.com/my-email-appears-as-a-spam-article-series-index-part-0-17/My%20E-mail%20appears%20as%20a%20spam%20%7C%20Article%20series%20index%20%20%7C%20Part%200#17

http://o365info.com/my-e-mail-appears-as-a-spam-introduction-office-365-part-1-17

http://o365info.com/my-e-mail-appears-as-a-spam-introduction-office-365-part-1-17

http://o365info.com/internal-spam-in-office-365-introduction-part-2-17




outbound spam E-mail policy and

more.

Internal spam in Office 365 –

Introduction | Part 3#17

What are the possible reasons that

could cause to our mail to appear as

spam\junk mail, who or what are this

“elements”, that can decide that our

mail is a spam mail?, what are the

possible “reactions” of the destination

mail infrastructure that identify our E-

mail as spam\junk mail?.

Commercial E-mail – Using the right

tools | Office 365 | Part 4#17

What is commercial E-mail?

Commercial E-mail as part of the

business process. Why do I think that

Office 365\ Exchange Online is

unsuitable for the purpose of

commercial E-mail?

Introduction if the major causes for a scenario in which your

organization E-mail appears as spam

My E-mail appears as spam | The 7

major reasons | Part 5#17

Review three major reasons, that

could lead to a scenario, in which E-

mail that is sent from our

organization identified as spam mail:






http://o365info.com/commercial-e-mail-using-the-right-tools-office-365-part-4-17

http://o365info.com/commercial-e-mail-using-the-right-tools-office-365-part-4-17

http://o365info.com/my-e-mail-appears-as-spam-the-7-major-reasons-part-5-17




1. E-mail content, 2. Violation of the

SMTP standards, 3. Bulk\Mass mail

My E-mail appears as spam | The 7

major reasons | Part 6#17

Review three major reasons, that

could lead to a scenario, in which E-

mail that is sent from our

organization identified as spam mail:

4. False positive, 5. User Desktop

malware, 6. “Problematic” Website

Introduction if the subject of SPF record in general and in Office

365 environment

What is SPF record good for? | Part

7#17

The purpose of the SPF record and the

relation to for our mail infrastructure.

How does the SPF record enable us to

prevent a scenario in which hostile

elements could send E-mail on our

behalf.

Implementing SPF record | Part 8#17

The “technical side” of the SPF record:

the structure of SPF record, the way

that we create SPF record, what is the

required syntax for the SPF record in

an Office 365 environment + mix mail

environment, how to verify the

existence of SPF record and so on.











Introduction if the subject of Exchange Online - High Risk Delivery

Pool

High Risk Delivery Pool and Exchange

Online | Part 9#17

How Office 365 (Exchange Online) is

handling a scenario of internal \

outbound spam by using the help of

the Exchange Online- High Risk

Delivery Pool.

High Risk Delivery Pool and Exchange

Online | Part 10#17

The second article about the subject

of Exchange Online- High Risk

Delivery Pool.

The troubleshooting path of internal \ outbound spam scenario

My E-mail appears as spam –

Troubleshooting path | Part 11#17

Troubleshooting scenario of internal \

outbound spam in Office 365 and

Exchange Online environment.

Verifying if our domain name is

blacklisted, verifying if the problem is

related to E-mail content, verifying if

the problem is related to specific

organization user E-mail address,

moving the troubleshooting process

to the “other side.




http://o365info.com/high-risk-delivery-pool-and-exchange-online-part-9-17




http://o365info.com/my-e-mail-appears-as-spam-troubleshooting-path-part-11-17

http://o365info.com/my-e-mail-appears-as-spam-troubleshooting-path-part-11-17



My E-mail appears as spam |

Troubleshooting – Domain name and

E-mail content | Part 12#17 Verify if

our domain name appears as

blacklisted, verify if the problem

relates to a specific E-mail message

content, registering blacklist

monitoring services, activating the

option of Exchange Online outbound

spam.


Troubleshooting – Mail server | Part

13#17

What is the meaning of: “our mail

server”?, Mail server IP, host name

and Exchange Online. One of our

users got an NDR which informs him,

that his mail server is blacklisted!,

How do we know that my mail server

is blacklisted?



14#17

The troubleshooting path logic. Get

the information from the E-mail

message that was identified as

spam\NDR. Forwarding a copy of the

NDR message or the message that

saved to the junk mail




http://o365info.com/my-e-mail-appears-as-spam-troubleshooting-domain-name-and-e-mail-content-part-12-17



http://o365info.com/my-e-mail-appears-as-spam-troubleshooting-mail-server-part-13-17










15#17

Step B – Get information about your

Exchange Online infrastructure, Step

C – fetch the information about the

Exchange Online IP address, Step D –

verify if the “formal “Exchange Online

IP address a

De-list your organization from a

blacklist | My E-mail appears as spam

| Part 16#17

Review the charters of a scenario in

which your organization appears as

blacklisted. The steps and the

operations that need to be

implemented for de-list your

organization from a blacklist.

Summery and recap of the troubleshooting and best practices in a

scenario of internal \ outbound spam

Dealing and avoiding internal spam |

Best practices | Part 17#17

Provide a short checklist for all the

steps and the operation that relates

to a scenario of – internal \ outbound

spam.







http://o365info.com/de-list-your-organization-from-a-blacklist-my-e-mail-appears-as-spam-part-16-17



http://o365info.com/dealing-and-avoiding-internal-spam-best-practices-part-17-17

http://o365info.com/dealing-and-avoiding-internal-spam-best-practices-part-17-17

Documents

What is SPF record good for? | Part 7#17