Email Security - Breaking Down SPF

In the post I want to breakdown & cover SPF in more detail. Especially as I continue to embark on the email security journey/track. before beginning, here is another brief overview of what SPF entails:


SPF is a simple validation system designed to provide a mechanism to allow receiving mail exchangers to verify that incoming mail from a domain is being sent by authorized hosts. SPF is generally considered an email anti-spam technique.


Remember that SPF authenticates the message path & authorizes senders via DNS TXT records. SPF's main goal is to verify the envelope part of the email. The receiving server is the one responsible for verifying the sending server IP address against the domain's recorded owner in SPF records.


Taking a deeper dive into SPF, it is important to know SPF mechanism syntax. A mechanism is used to describe a set of hosts which are designated outbound mailers for the respective domain. Note that multiple domains can be used via additional "include" entries. However, you can only include up to 10 domains. So here is a breakdown of each mechanism:

  • all : always matches and is typically seen at the end of a record

  • ip4 : denotes an ipv4 host/range

  • ip6 : denotes an ipv6 host/range

  • a : A records for domain are tested; A record must match client IP exactly;

  • mx : all A records for domain are tested in order of MX priority; if client IP is found among them, then the mechanism matches

  • ptr : hostname/s for client IP are looked up using PTR queries; at least one of the A records for PTR hostname must match;

  • exists : performs a query on the provided domain;

  • include : specified domain is searched for a match;

Mechanisms are typically prefixed with one of four qualifiers:


+ (Pass) (Hard Fail) ~ (SoftFail) ? (Neutral)


It is best practice to use either ~all or -all at the end of an SPF record to explicitly indicate what the result should be when no match is found.


SPF also has modifiers, redirect & exp.

  • redirect modifier : takes a domain value. If there is no SPF record for the domain, the result is unknown.

  • exp modifier = also takes a domain value. If the evaluation of an SPF record fails with something like "-all", & the exp modifier is present, then an explanation is returned.

Next I will cover what the evaluation of an SPF record results may be:

  • None: either no valid DNS domain name was found, or no SPF record was found on the domain;

  • Neutral: it's not stated whether the client IP address is allowed;

  • Pass: the client IP address is allowed;

  • Fail: the client IP address is not allowed;

  • Softfail: the client IP address is probably not allowed;

  • Temperror: the SPF module encountered a transient (network) error while performing the check;

  • Permerror: the domain’s published records could not be correctly interpreted. This signals an error condition that definitely requires DNS operator intervention to be resolved.

Note that when no qualifier is prepended to the SPG mechanism, it defaults to "+" (pass).


Now I will breakdown a very simple SPF record example so we can understand the components used:


"v=spf1: ip4:1.1.1.1 include:example.com -all"


This example SPF record essentially states the following: version 1, specifies 1.1.1.1 as the host allowed to send emails on behalf of the domain, search & include example.com domain for a match, & hard fail for no matches.


Here is an in depth example of SPF verification. The example shows that two identities are/were verified by SPF:

Received-SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain of

united.5765@envfrm.rsys2.com designates 12.130.136.195 as

permitted sender) identity=mailfrom;

client-ip=12.130.136.195; receiver=mx1.hc4-93.c3s2.smtpi.com;

envelope-from="united.5765@envfrm.rsys2.com";

x-sender="united.5765@envfrm.rsys2.com";

x-conformance=sidf_compatible; x-record-type="v=spf1"

Received-SPF: None (mx1.hc4-93.c3s2.smtpi.com: no sender

authenticity information available from domain of

postmaster@omp.news.united.com) identity=helo;

client-ip=12.130.136.195; receiver=mx1.hc4-93.c3s2.smtpi.com;

envelope-from="united.5765@envfrm.rsys2.com";

x-sender="postmaster@omp.news.united.com";

x-conformance=sidf_compatible


There are tons of tools that aide in verifying SPF records. However, a quick and easy way is via: Open command prompt-->nslookup-->set type=txt-->enter domain name

Example:


The next little piece I want to share is how SPF verification relates to the ESA from a very high level. SPF verification is configured in mail flow policies. Per Cisco, the easiest way is to globally turn it on in the respective listener. Remember that the SPF verification only verifies the message and will then insert a set of headers for each SPF check performed. Once the configured mail flow policies verify a message, there is a configured action to be taken.


Lastly, here are a few good-to-knows:

  • SPF records cannot have more than 255 characters

  • SPF publishers must add a record to each hostname or subdomain containing an A or MX record

  • There are tons of SPF record generators out there can help with setting up a record properly

Thanks for checking this post out. See the <esa> tag for more. Cheers!

0 comments

Recent Posts

See All

Email Security - Breaking Down DKIM & DMARC

I recently started pursuing email security studies. Other posts have mentioned this, and a recent post shared a deeper look at SPF. In this blog I want to cover DKIM & DMARC. Starting with DKIM, it

Understanding FTD Multi-Instance Capability Mode

In this post I want to cover running the multi-instance capability with Firepower Threat Detection (FTD). This capability lets you run containers that use a batch of resources of the security module/

Configuring & Verifying FTD NAT

"The What?" - In this post I will cover configuring NAT on Cisco FTD. Then I will walkthrough how to verify deployment with successful translations. The topology used to demo is below: "The Why?" -