It isn’t uncommon to be told that someone was expecting to receive an email but never received it and when they checked with the person who was going to send the email, the person tells them the email was bounced back, rejected, blocked, or didn’t go through.
In 2003, the United States of America passed the “CONTROLLING THE ASSAULT OF NONSOLICITED PORNOGRAPHY AND MARKETING” or “CAN-SPAM” Act. The CAN-SPAM Act is recorded in 15 U.S.C. Chapter 103. One of the things the CAN-SPAM Act was meant to address was companies sending unsolicited commercial email and attempting to hide where the email was from by using fake information in the “from:” line of the email or actually sending an unsolicited commercial email through “electronic mail address, domain name, or Internet Protocol address the access to which for purposes of initiating the message was obtained by means of false or fraudulent pretenses or representations shall be considered materially misleading.” (15 U.S.C. § 7704 (a)(1)(A))
Sender Policy Framework (SPF) is a method servers can use to request information about the servers which are authorized to send email for a domain. Let’s consider a fictitious company named Example Company. Example Company employs two people named Alice and Bob. Example Company’s domain name is example.org. Alice’s email address is email@example.com. Bob’s email address is firstname.lastname@example.org. Example Company’s email server is named mail.example.org.
Now you want to send Alice an email at email@example.com. When you send that email, the system must ask for the Mail Exchanger (MX) record for example.org. The Domain Name System (DNS) server responds with the name of the mail server for Example Company. That tells your system that the email needs to be send to mail.example.org and mail. example.org will deliver the email to Alice’s email address firstname.lastname@example.org.
Unfortunately, malicious users have been sending Alice a lot of unsolicited commercial emails. When Alice receives the emails tough, they say they are from email@example.com. Alice is worried that someone might have hacked Bob’s email account. Alice notifies Example Company’s IT department and they reviewed log files which show when Bob’s email account was logged into and the public IP address that was used to login to Bob’s email account. Example Company’s IT department was not able to find any evidence that Bob’s email account was hacked.
How is that possible?
The malicious users sent the emails to Alice from an email server they hacked but they configured the email server to send emails saying they are from Example Company. This is an example of spoofing. Think of it like sending a letter in the mail. The malicious users are changing the return address to say Bob sent the letter to Alice.
This is why SPF is important. If Example Company configured SPF and configured their spam filter to perform SPF verification for emails which are sent to them, the spam filter would block the unsolicited emails that say they are from bob@ example.org. SPF looks at the address the email claims to be from. It goes and asks DNS if example.org has an SPF record. DNS responds and says, “Yes, example.org has an SPF record. Example Company permits 127.0.0.1 and 127.0.0.2 to send email from example.org.”
SPF looks at each email that is sent to firstname.lastname@example.org and email@example.com. SPF looks at the emails sent from the malicious users. SPF sees the emails say they were sent from firstname.lastname@example.org. SPF looks at the emails to see what the IP address is that send them. The emails were sent from 127.8.8.140. SPF sees that 127.8.8.140 is not 127.0.0.1 or 127.0.0.2 so the emails fail SPF verification and are blocked. This may seem very technical and it is. The good news is a knowledgeable IT department should be able to properly configure SPF for their company in as short as five minutes.
SPF has existed since 2006, when it was published by The Internet Society. There are different solutions for spoofed emails. The efforts to automate the identification and blocking of spoofed emails are still ongoing. Properly configuring SPF is one best practice. New methods of doing this include artificial intelligence.
Often malicious actors send fraudulent email which contain malware or a link to malware in an effort to convince the user to install the malware. While no one security mechanism should be relied on to provide robust security, properly configuring SPF in addition to a spam filter that conducts SPF verification on inbound emails is an extremely important measure which often takes a relatively short amount of time to configure. Michael Zinn