v=spf1 include:spf.falconide.com include:sendgrid.net include:_spf.google.com ip4:xx.xxx.xxx.x ~all
Above is my SPF record for my domain, I am using an external tool to get open-source threat intelligence, in the tool it says my SPF config is not secure. Support is unavailable at the moment.
Does anything look insecure about the config?
No, this looks ok. The only thing I would change is to put the ip4 mechanism first.
You don’t provide any specifics of the actual error report, but it would not surprise me if it is misreporting thé ~all as a problem, even though it’s very unlikely to be. We would need to see your DMARC config to tell.
Maybe it just doesn't want you to use the soft fail?
If possible, try changing ~all to -all
Check the fail policy and qualifiers items of SPF records in Wikipedia:
https://en.wikipedia.org/wiki/Sender_Policy_Framework#FAIL_and_forwarding
https://en.wikipedia.org/wiki/Sender_Policy_Framework#Qualifiers
Use softfail (~all) as hardfail is NOT at all reliably enforced and can act in unexpected and seemingly random ways (suddenly a hosting company or mailbox provider stops or starts honoring hardfails).
Only a few mailbox providers reject based on just an SPF hard fail, and that's a moving target. For this reason, ~ALL is a best practice.
It’s DMARC that more reliably rejects if you want to tell mailbox providers to reject mail that fails DMARC. To to pass DMARC, either SPF or DKIM must fail and the domains in alignment. In. relaxed mode (by far the most common), alignment means the same organizational domain so example.com aligns with foo.example.com.
Always start with a p=none, a reporting only policy in DMARC and only VERY cautiously ramp up to a more aggressive DMARC policy such as p=reject or p=quarantine, as they can break legit mail if there’s legit mail that fails DMARC.
Delay deploying a more aggressive DMARC policy until you're sure all your legit mail's accounted for and authenticated. That way, only mail that's not authorized by you or flat out domain spoofing email (spammers and phishers) will fail DMARC.
Also, note that many ESPs by default have you use your own donain as the header from and use a domain of their own as the Envelope From.
If you request and setup a custom mail from domain, you can often get a subdomain of your domain set up the Envelope FROM (example.example.com) and the header from example.com (that recipients actually see).
If your envelope from isn’t example.com itself but instead foo.example.com then having the SPF set in your organizational domain uses as the header from won’t be useful. SFP is useful in the envelope from not the header FROM.
DKIM is signed by the header from domain (usually your organizational domain, example.com) and SPF is relevant in the envelope FROM domain only (e.g.,foo.example.com).
Also, keep in mind that an SPF record only allows 10 DNS lookups to be valid so check with a couple validation tools to makes sure it’s 10 or under. The above SPF you set uses 6/10 DNS lookups and is valid.
The SPF you have in your organizational domain isn't going to help, unless your Envelope From Domain is example.com.
And again ~ALL isn’t a problem. You can confirm this by doing some web searches on the risks and benefits of setting a softfail vs. a hardfail in SPF.
Some ESPs use their own domain as the envelope from meaning you need to explicitly work with your ESP to configure foo.example.com as the envelope from to get domain alignment with example.com, your organizational domain, and DKIM signing domain.
A complication is that many ESPs use a domain of there own for your Envelope From Domain and offer services/features such as a "custom sending domain," enabling you to use a subdomain of your own domain as the Envelope From Domain. Given that alignment policies have recently become more strict, it's a good idea to use a subdomain of your own domain as the Envelope From Domain rather than an ESP domain. For example, Microsoft recently enacted a policy whereby domain mis-alignment by itself causing either SPF or DKIM to fail is in itself enough to route email to spam. Other mailbox providers have been moving toward this sort of measure to try to get a handle on domain spoofing and the phishing and spamming that comes along with it.
Envelope FROM domain: Recipients do not see this domain.
Header FROM domain: Recipients can see this in the visible FROM line.
Related
I have an email address forwarding to a gmail account. I then use SMTP to send a response from gmail via the domains SMTP server. This is all set up fine. However some recipients are not receiving the emails? Is there further configuration I need to do on the domain side?
I am told I need to configure the SPF, DKIM and DMARC records but I have no idea what the configuration/values should be?
Having SPF, DKIM and DMARC set up is seldom a prerequisite for having your email delivered. If your email domain and servers have a decent reputation, you won't, generally, run into to much trouble.
However, it is best practice to set up all three, to start authenticating your emails and making it harder for others to impersonate your email domain without authorization. I'll outline the basics for you:
Why Authenticate
Phishing: Email Authentication will make it harder to impersonate your email
domain, without authorization. It (somewhat) protects your colleagues, partners and customers against phishing.
Brand Reputation Protection: Phishing from your domain can harm the reputation of your brand.
Deliverability: Authentication improves deliverability because it's weighed heavily in determining whether or not the email is legit.
DMARC
DMARC will try to find successful authentication for servers sending on your behalf. Specifically, it will look for a Pass on SPF or DKIM, in alignment with the email address (domain) that is being showed to the recipient in his email client. This is known as the Header.From field. (Not to be mistaken with the Sender field, the Reply-To field or Return-Path).
SPF
SPF is basically a list of IP addresses, published as a TXT DNS resource record, listing all servers that are authorized to send email for the domain the record lives in. This does not include subdomains, those require additional SPF records. One of the (many) problems with SPF: Receiving servers need to check the Return-Path email address to lookup the SPF record, instead of the Header.From domain. There is no need for the Header.From email address and the Return-Path address to share any of the domain part, according to the SMTP RFC. Thus where DMARC comes in.
DKIM
Signing an email message with a DKIM private key, requires you to publish a matching public key in the subdomain _domainkey for the domain your signing for. The receiving server will look for d= value and the s= value in the DKIM signature to construct the correct DNS TXT resource record to query, holding the public key. Example d=stackexchange.email s=s1 will result in a DNS query for the TXT record s1._domainkey.stackexchange.email. The same applies here as with SPF: The d= value does not have to match with the domain portion of the Header.From email address.
Unfortunately the configuration and values are very specific, depending on which parties are allowed to send on behalf of your domains, the subdomains you use and how you use them, etc. Especially SPF has a few limits that will make the setup harder.
Having a little trouble with dkim, smtp and forwarded domains.
I basically want to use the gmail smtp servers from my google apps account to send mail from one of my domains, but I can't have that domain as either a domain alias or subdomain of google apps (for complicated reasons I won't go into...)
So. I've set up the SPF records for my original domain: domain1
I've also set up SPF records on my new domain: domain2
However, I'm still getting the 'via domain1.com' on my emails.
I think the issue is that I have SPF but no DKIM, but I can't work out a way of getting a DKIM signature that I can pass without making the domain a domain alias which I really don't want to do. (It's not what it's for).
Any ideas?
two things - doublecheck that your domain2 SPF record designates your sending domain domain1.com as eligible to send email for domain2. So domain2 spf record should look something like this: v=spf1 a:domain1.com ~all.
The second thing is - yes, you need DKIM signature but actually it should work in both cases - one when you sign sending domain - here it is domain1.com or when otherwise you sign sender domain - and it is domain2 then.
So you can feel free to try continue with domain1.com and create DKIM for that both in DNS and in GoogleApps with help of GoogleApps control panel. It should work and be enough when you signing domain1.com with dkim as your sending domain.
The thought occurred to me that if SPF records are not recursive, domain names may be vulnerable to email spoofing from subdomains. My research reveals this:
The Demon Question: What about subdomains?
If I get mail from pielovers.demon.co.uk, and there's no SPF data for
pielovers, should I go back one level and test SPF for demon.co.uk?
No. Each subdomain at Demon is a different customer, and each customer
might have their own policy. It wouldn't make sense for Demon's policy
to apply to all its customers by default; if Demon wants to do that,
it can set up SPF records for each subdomain.
So the advice to SPF publishers is this: you should add an SPF record
for each subdomain or hostname that has an A or MX record.
Sites with wildcard A or MX records should also have a wildcard SPF
record, of the form: * IN TXT "v=spf1 -all"
(Thanks to Stuart Cheshire.)
(emphasis mine)
Q1: Why don't you need to add a SPF record if the subdomain doesn't have a A/MX record?
As an example, I investigated support.google.com:
dig google.com txt:
google.com. 3599 IN TXT "v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
dig support.google.com txt:
support.google.com. 21599 IN CNAME www3.l.google.com.
dig www3.l.google.com txt:
www3.l.google.com. IN TXT
So..., no SPF record for support.google.com.
Q2: Wy don't Google (and many other sites) follow this advice?
Q3 (bonus): If this is a problem, and I'm not just being stupid, why is this not more documented?
The only related SE question I can find is this, but it doesn't say much more than the openspf.org FAQ above.
This is actually not terribly relevant advice in 2015, as the email landscape has evolved substantially since that post was made.
In practice SPF is an authentication protocol, not a policy enforcement mechanism. What I mean by that is that a particular message can pass, fail, or not check SPF based on the EHLO name or Return Path domain. But how a receiver should handle any SPF result is up to the receiver.
The email policy enforcement mechanism is DMARC, which specifies how a message that does not pass SPF or DKIM authentication should be handled by a receiver. Should it be rejected entirely? Quarantined (typically meaning directed to a spam folder)? Or treated as 'normal'?
DMARC, unlike SPF, does have subdomain inheritance. So, provided an explicit DMARC policy isn't defined on the subdomain, the policy defined on the organizational domain is used. So in the specific case you mention, the policy will be read from _dmarc.google.com. Which is:
v=DMARC1; p=quarantine; rua=mailto:mailauth-reports#google.com
So your hypothetical email sent on support.google.com will be treated as spam, even without an explicit SPF policy defined on support.google.com
So if you want to ensure against subdomain spoofing for a domain you manage, add a DMARC policy.
I am trying to help out a little non-profit organization, who has decided to let One.com host their domain, including website and e-mail. Now, my issue is that One.com does not add SPF-records or DKIM-keys to your domain and I believe that is the reason why a large number of mails sent from the domain, end up in spam.
I've been in touch with their support, who kindly answered:
You are already using our mail servers, there is no need to use SPF for that.
Our mail servers already have SPF installed, and if you are using our mail servers, SPF will not be question since domain is hosted here and it is using One.com's mail server. SPF will only be required if your domain is hosted here but is using a different MX record or mail server
I've tried to figure out if you can leave out SPF, but all I've been able to conclude is that proper SPF on each domain is definitely the proper way, instead of just the hosting companys main domain. I mean, if it was that simple, how come even Google Apps, Zoho, Rackspace etc. recommends adding SPF, if it worked just as well leaving it out - you'd be using their MX as well, so isn't that the same? And wouldn't leaving SPF out leave us with the same issues as before SPF, namedly that you'd have no way to validate if mail was truly being sent from the owners of the domain or just somebody imposing.
So what it comes down to: Can One.com really leave out SPF records on their clients domains, send mail on the clients behalfs and still expect mail to come through without ending up in spam more often?
Thank you very much for your time!
The short answer is "No, they can't". The longer answer is a little more complicated.
SPF uses either the EHLO domain of the sending server or the domain in the Return-Path to look up SPF records in DNS. Most systems that handle multiple domains do not use SPF records on the EHLO domains of the sending servers, so the SPF domain is taken from the email's Return-Path. You should take a look at the Return-Path for one of the emails that this non-profit has sent through One.com to determine whether the Return-Path is on a subdomain of one.com, or is using the non-profit's domain. The latter is definitely preferred.
If the Return-Path is on a subdomain of one.com, then that's the domain that will be used to look up SPF records. So adding SPF records to your non-profit's DNS won't do anything. While this may seem the easier path, it causes problems with DMARC and may cause the email to be flagged as spam even if it passes SPF, as the address in the 'From' header will have a domain that doesn't match the Return-Path
If the Return-Path is on a subdomain of your non-profit's domain, then you should definitely add an SPF record to your non-profit's DNS. Looking at one.com's current records, something like:
v=spf1 include:_spf.one.com ~all
should do it.
By the way, you should be able to see whether an email has been SPF or DKIM authorized by looking at the headers of the received email. That's the best way to understand the actual behavior.
From the definition of SPF, SPF only authorizes IP address. For one of our domain name, we have created an SPF record to allow only A and MX IPs as genuine sender. This domain is hosted in a shared-hosting environment along with many other customers.
In such setup, owners of other domains on same host can spoof my emails easily. Is there any way SPF still work?
(correct me if my understanding abt SPF is wrong)
Yes they can spoof them but it would be very very unlikly.
If you are concerned about your personal mails that you send out or automatic mails from any system you provide on said host, you might consider signing them cryptographicaly to enable recipients to check if they are genuine.
I think there techniquies implemented in some mailservers to sign mails automaticly AND there is of course DNS signatures but what the status there is is bejond my knowledge.