Step 1: Collect all IP addresses that are used to send email

The Sender Policy Framework (SPF) gives the ability to authenticate your email and to specify which IP addresses are allowed to send email on behalf of the specific domain.

In order to successfully implement SPF you first need to identify which mail servers are used to send email for your domain. These mail servers can be any sending organization, you should think of your Email Service Provider, Office mail server and any other third-party mail servers that may be used to send email for you.

Gathered all sending email servers?

Now you’ve got a clear overview of all sending domains, you have to create an SPF record for every domain, even if the domain doesn’t actively send email.

Step 2: Create your SPF record

  1. Start with the SPF version, this part defines the record as SPF. An SPF record should always start with the version number v=spf1 (version 1) this tag defines the record as SPF. There used to be a second version of SPF (called: SenderID), but this was discontinued.
  2. After including the v=spf1 SPF version tag you should follow with all IP addresses that are authorized to send email on your behalf. For example: v=spf1 ip4:34.243.61.237 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e
  3. Next, you can include an include tag for every third-party organization that is used to send email on your behalf e.g. include:thirdpartydomain.com. This tag indicates that this particular third party is authorized to send email on behalf of your domain. You need to consult with the third party to learn which domain to use as a value for the ‘include’ statement.
  4. Once you have implemented all IP addresses and include tags you should end your record with an ~all or -all tag. The all tag is an important part of the SPF record as it indicates what policy should be applied when ISPs detect a server which is not listed in your SPF record. If an unauthorized server does send email on behalf of your domain, action is taken according to the policy that has been published (e.g. reject the email or mark it as spam).What is the difference between these tags? You need to instruct how strict servers need to treat the emails. The ~all tag indicates a soft fail and the -all indicates a hardfail. The all tag has the following basic markers: -all Fail – servers that aren’t listed in the SPF record are not authorized to send email (not compliant emails will be rejected). ~all Softfail – If the email is received from a server that isn’t listed, the email will be marked as a soft fail (emails will be accepted but marked).
    +all We strongly recommend not to use this option, this tag allows any server to send email from your domain.
  • After defining your SPF record your record might look something like this: "v=spf1 ip4:34.243.61.237 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e include: thirdpartydomain.com -all"
  • For domains that aren’t sending email, we recommend you to publish the following record v=spf1 -all Please keep in mind that your SPF record cannot be over 255 characters and has a maximum of 10 include tags, also known as “lookups”. Please note that the ‘nested lookups’ will also count. If a record has an A and MX lookup, these will both count as lookups for your domain.

Now you have created your SPF TXT record you can publish it into your DNS.

Step 3: Publish your SPF record into your DNS

Finally, after defining your SPF record it’s time to publish the record into your DNS. Doing so, mail receivers like (Gmail, Hotmail and others) can request it. An SPF record needs to be published into your DNS by your DNS manager. This can be an internal role in your organization, you can have access to a dashboard provided by your DNS provider yourself or you can ask your DNS provider to publish the record.

Access your DNS manager

Your SPF record needs to be published into your DNS;

  1. Log in to your domain account at your domain host provider;
  2. Locate the page for updating your domain’s DNS records (something like DNS management or name server management);
  3. Select the domain of which you want to modify the records;
  4. Open the DNS manager;
  5. Log in to your domain account at your domain host provider;
  6. Create a new TXT record in the TXT (text) section;
  7. Set the Host field to the name of your domain;
  8. Fill the TXT Value field with your SPF record (i.e. “v=spf1 a mx include: exampledomain.com ~all””);
  9. Specify the Time To Live (TTL), enter 3600 or leave the default;
  10. Click “Save” or “Add Record” to publish the SPF TXT record into your DNS.

Your new SPF record can take up to 48 hours to go into effect. For help adding TXT records, contact your domain host.

The SPF record is correctly configured when:

  • The SPF record Checker has found an SPF record;
  • Your SPF record doesn’t exceed the maximum number of 10 lookups;
  • The configured IP addresses are real addresses that are used to send email from.

Views: 59

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

FireCompass

Forum

CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by SACHIN BP SHETTY Apr 24. 1 Reply

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

[Please Suggest] Corona Virus: Security advisory for work from home

Started by CISO Platform. Last reply by Bhushan Deo Mar 20. 12 Replies

(question posted on behalf of a CISO member)Due to CORONA virus most of the organizations are allowing their employees to work form home.Has any one issued security advisory for work from home ?Continue

Tags: #COVID19

Follow us

Contact Us

Email: contact@cisoplatform.com

Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service