Email Security, part 2: The Sender Policy Framework


Today we look at the Sender Policy Framework (SPF), one of the easiest ways to detect non-authentic emails and thus, provide a protection against Phishing or other email fraud.

Following up on our initial post about Email Security, today we look at the Sender Policy Framework (SPF), one of the easiest ways to detect non-authentic emails and thus, provide a protection against Phishing or other email fraud.

To support preventing emails pretending to originate from your domain, a SPF policy can be published simply as a DNS TXT record. The policy itself starts with a version section, followed by an ordered list of mechanisms and modifiers. Mechanisms describe a set of sender addresses or host names and can be evaluated on a given IP. This returns a match if the IP matches one of its identities. The result given is based on the qualifier assigned to the mechanism. Examples for qualifiers are “+” for pass, “-” for fail, “~” for soft fail or “?” for neutral. Since modifiers only provide additional information and predominantly do not affect the evaluation of the record, we will omit them for our discussion here.

When an email, pretending to come from a certain domain as indicated by the identities presented during the SMTP  “HELO/EHLO” or “MAIL FROM” exchange, is received, the SPF policy corresponding to the domain is fetched and evaluated. This evaluation checks if any mechanism matches the IP of the connected server and returns a result depending on the qualifier if any mechanism matches or neutral if no mechanism matches. Depending on the configuration of the receiving host, the email is then forwarded to the intended recipient, quarantined, or deleted.

As SPF only checks the identities given during the SMTP exchange, spammers have shifted to only spoof the “From” field in the email header. To still be able to prevent the spread of email fraud the combination of SPF and DMARC is necessary. Before we can introduce DMARC in detail, we need to first introduce DKIM, as knowledge of DKIM is a necessary requirement for understanding DMARC.

So, in the next part of this series, we will take a closer look on DKIM, a more cryptographically inclined authentication method, that also guarantees the integrity of certain parts of an email message.