Security Risk Management

Email Security Best Practices: How To Avoid SPF Misconfiguration

Oren Falkowitz | February 19, 2014

misconfigThe threat from malicious email represents one of the greatest risks to IT security. The Messaging Anti-Abuse Working Group (MAAWG) identifies 85% of incoming mail as abusive or malicious.  One of the best practices to curb this risk is the Sender Policy Framework (SPF), an email validation tool to prevent the sending and receiving of forged messages. When properly configured, SPF reduces both the likelihood of any domain name being fraudulently used to send malicious emails and the likelihood that organizations will receive such messages.

The Benefits of a Sender Policy Framework

Two well known situations highlight the benefits of SPF. A targeted attack against senior U.S. government officials succeeded when attackers were able to pose as legitimate senders from trusted domains like state.gov, osd.mil and dia.mil. This would have been impossible had SPF records been in place for the senders and checked by the receivers.

More recently, after having had data from over 100,000,000 consumer credit cards breached, Target Corporation began to offer free credit monitoring services. The emails they sent to consumers seemed suspicious. Questions about the validity of the Target emails were resolved in part by the ability to validate the email sender’s authenticity via SPF.

How the Sender Policy Framework Works

When an organization generates an SPF record in the Domain Name System (DNS) it is identifying which hosts are permitted to send email from their domain. This record allows message recipients to query and determine whether the sending server is authorized to send from a domain. This diagram shows how SPF is verified by the recipient’s mail system.

BitSight_SPF_framework

Analysis of SPF Adoption

Although SPF was introduced several years ago to verify the sender of an email message for the sake of preventing spoofed messages, adoption remains limited. We looked across the S&P 500 to measure adoption and implementation effectiveness of SPF.

BitSight-SPF-Rating-SP500

The data shows that over half of the S&P 500 organizations surveyed remain at high risk given that they do not have an SPF record or have an improperly formatted record. In fact, only about 25% had a properly implemented SPF record.

SPF is one of a variety of simple and straightforward tools for organizations to validate the integrity of their messages and reduce the risk of malicious forgeries. Failure to and ineffectiveness in implementing a SPF record increases risk across multiple vectors. SPF adoption is a best practice and signal of an organizations overall IT security effectiveness.

* A variety of open-source tools exist to verify the SPF record for your organization:

Read more about the security health of the S&P 500 in the latest BitSight Insights report, Assessing the Cyber Health of the U.S. Economy.

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...

READ MORE »

3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...

READ MORE »

Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...

READ MORE »

Subscribe to get security news and updates in your inbox.