What is SPF record good for? | Part 7#17
-
Upload
o365infocom -
Category
Documents
-
view
216 -
download
0
description
Transcript of What is SPF record good for? | Part 7#17
Page 1 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
WHAT IS SPF RECORD GOOD FOR? |
PART 7#17
The current article is focused on explaining the purpose of the
SPF record and, how does the SPF record enable us to prevent
a scenario in which hostile elements, could send E-mail in our
behalf.
The next article – Implementing SPF record | Part 8#17 , focus
on the “technical side” of the SPF record such as: the structure
of SPF record, the way that we create SPF record, what is the
required syntax for the SPF record in Office 365 environment +
Mix mail environment, how to verify the existence of SPF
record and so on.
Page 2 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
The purpose of the SPF record
There are two main objectives for using SPF record:
1. Try to prevent a scenario, in which spammer will send E-mails using our
domain name (a specific organization E-mail address) by using his mail
server. In other words: a scenario in which the spammer’s mail server is
introduce himself as “our legitimate mail server”.
2. Preventing a scenario, in which a destination mail server will block
E-mail that sent from our organization or “stamp” our organization mail
with a high spam score level because a spammer is “distributing E-mail”
using our organization user’s identity (using an E-mail address of our
recipient organization).
Issues that relate to SPF record.
We can classify that scenario of “problems that relate to SPF record”
into two main areas:
Page 3 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
1. Lack of SPF record – a common scenario, in which the organization
don’t use and SPF record. The main reason is – lack of awareness to the
big impertinence of using SPF records.
2. Miss configured SPF record – an existing SPF record that was
configured with incorrect syntax or doesn’t include the “full
information” about all the mail server that represents the specific
organization.
Why do I need to use SPF record?
Ensure our E-mail message reliability
The use of SPF record is very important in a modern mail
environment because, SPF record enables us to set the level of
“reliability” of an E-mail message that sent “from our organization”
meaning: E-mail message was sent from our legitimate mail server.
The purpose of the SPF record is to enable organizations to publicly
“declare” who are the mail servers, which are authorized to send mail
on behalf of the organization (for a specific domain name).
Page 4 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
The destination mail server, which accepts E-mail message that
includes our domain name (E-mail address with our domain name),
can verify if the mail server that “deliver” the E-mail message is
entitled or, authorized to represent the specific domain name.
The destination mail server verifies this information by looking for at
the organization SPF record, which should include a list of all of the
authorized mail servers that represent the specific domain name.
In case that the “source mail server” doesn’t appear as listed in the
SPF record, the “destination mail server” (the mail server that
spouses accept the E-mail message and forward the E-mail message
to the destination recipient) can decide if he agree to accept the
E-mail or “block” the sending mail server.
A scenario in which we don’t use SPF record or, a scenario in which
we sent mail by using a mail server that doesn’t appear on the SPF
Page 5 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
record that represents our domain name, could lead to a significant
reduction in the “reliability grade” of E-mail that is sent by our
organization users.
In other words: an outcome in which our organization mail will be
identified as spam\Junk mail.
Prevent spoofing scenario
In a modern mail environment the scenario of: “spoofing” is very
common and very popular.
The reason for this “popularity” of the spam phenomenon is because
that the SMTP mail protocol was created, based on the assumption
that the parties that want to communicate using E-mail message are,
“legitimate players”.
The reality is a little different and many times, hostile elements such
as spammers, use the basic SMTP option for “presenting themselves”
as some else (impersonation).
Page 6 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
For example: in a standard SMTP session between two mail servers
(the source and the destination mail server), when server A connects
server B and ask him to forward
An E-mail message to a recipient who is hosted on mail server B, mail
server A, present himself as the representative of the source
recipient.
By default, server B (the destination server) is supposed to believe to
server A (believe that he is the true representative of the source
recipient).
The SPF record, was created for preventing a scenario in which
spammer, fake his identity and, pretend to be the “legitimate mail
server” of a specific organization.
In our example, the spammer’s mail server, present himself as the
legitimate mail server that sends E-mail “on behalf” the domain:
o365info.com
In the following diagram, we can see such a scenario, in which hostile
elements try to send E-mail message to the destination recipient and
the mail server of the hostile elements “declare” that the message
was sent by a recipient’s name: [email protected]
Page 7 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
Q1: What is SPF stand for?
A1: SPF stands for Sender Policy Framework
Q2: How does the SPF record is implemented?
A2: By publishing a TXT record in our public DNS that includes pre-
defined structure + information about the mail server that are
authorized and “approved” to send E-mail on behalf of our
organization.
Q3: What is the information that is included in the SPF record?
A3: The SPF record includes information about the mail server
names or IP address that represents a specific organization (domain
name) and can send an E-mail on behalf of the organization.
Note – the SPF record syntax includes additional options for “pointing
out” the legitimate mail server, such as using the MX or the A record
option.
Page 8 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
For example, when using the MX option in the SPF record, the
meaning is that all the mail servers who appear “under” the MX
record of a specific domain name, considers as “authorized” mail
server that can send E-mail on behalf of the specific domain.
How does the SPF record prevent a spoofing
scenario?
To be able to demonstrate the way in which the use of the SPF
record prevents a spoofing, let’s use the following scenario:
A hostile element (spammer) wants to distribute spam mail, hide his
identity and impersonate his identity by using the identity of a
legitimate organization that uses the public domain name:
o365info.com
The spammer, is going to “present himself” using the recipient name
(E-mail address): [email protected]
Page 9 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
Step 1: sending E-mail message on behalf of the legitimate
recipient
In the following diagram, we can see that the spammer’s mail server
connects the destination mail server, and asks him to forward email
messages to the destination recipient.
The destination mail server “see” that the IP address that is used by
the “source mail server” (the spammer’s mail server) is:
100.100.100.100
Pay attention that the “real mail server” that represent the
organization: o365info.com, use different IP address: 212.25.80.239
Page 10 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
Step 2: Destination mail server, check SPF record.
In our scenario, we assume that the E-mail policy that is used by the
“destination mail server” is configured to check the SPF record of the
“source mail server”.
The “destination mail server” query DNS server and ask for the SPF
record of the domain: o365info.com
In our scenario, the SPF record “say” that the “formal mail server”
that represents the domain: o365infpo.com is: 212.25.80.239
Step 3: Destination mail rejects the E-mail message.
The spammer’s mail server is the IP address: 100.100.100.100
Because the SPF record for the domain: o365info.com doesn’t include
this IP address; the mail server will reject the E-mail message from
the spammer’s mail server.
Page 11 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
Important note – the “real world” is a little more complex. In reality,
there could be many other scenarios.
For example: in case that the “destination mail server” is not
configured to check the existence of SPF record, he will accept the E-
mail message that was sent by the spammer.
Another possible scenario could be that the “destination mail server”
will agree to accept the E-mail message, although the IP address of
the “source mail server” (the spammer’s mail server) doesn’t appear
in the SPF record but, will “stamp” the E-mail message as a
“problematic” or dangerous E-mail message.
“Problems” that relates to SPF record
Q: What are a possible scenario of “problems” that relates to SPF
record?
A: An example for a “problems” that relates to SPF record could be:
Page 12 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
1. Lack of SPF record – A scenario in which the organization doesn’t use
SPF record.
2. More than one SPF records – a common mistake, in which the DNS
includes two or more SPF records. The outcome is: “unknown results”.
Some of the mail server will relate only to one SPF record and some
mail server, will refuse to accept mail because the SPF record is not
configured correctly.
3. SPF record that is configured improperly SPF record is based on very
strict “syntax rules” that dictate how to “construct” the SPF record. In
some cases, the SPF record includes a syntax error. In this case, we are
dealing again with the realm of: “unknown results”.
4. SPF record that doesn’t include information about all the organization’s
mail servers.
Any of this “issues”, could lead to a scenario in which external mail
server will block mail that is sent by a user’s from our organization
(users whom their E-mail address includes our public domain name).
Mixed mail environment example
An example of a scenario: “SPF record that doesn’t include
information about all the organization’s mail servers” could
be: Hybrid environment, that is based on two separated mail
infrastructures: the Office 365 mail infrastructure (Exchange Online)
and the Exchange on-Premises mail infrastructure.
Page 13 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
In this scenario, an E-mail message could be sent from the booth of
this mail infrastructures (depend on the physical location of the user
mailbox).
In a scenario of: “two separate mail infrastructures”, the SPF should
contain “pointers” to the separated mail infrastructure.
In simple words: the SPF record should “declare” that mail that is
sent by the Exchange Online mail servers + mail that sent from the
Exchange on-Premises mail server\s consider as a legitimate mail.
In case that the SPF record value that we have configured doesn’t
include information about the Exchange on-Premises server. Each E-
mail that will be sent by the Exchange on-Premises server have the
Potential to be identified as spam\junk mail.
Note – you can read more detailed information on the SPF record
syntax in the article – Implementing SPF record | Part 8#17
Page 14 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
Q: in a scenario of a problem in SPF record, what are the possible
“responses” of the target mail server?
A: It’s important to emphasize that in a scenario of: “problems that
relate to SPF record”, the “response” from the destination mail
server, cannot be predictable.
The reason is that each mail server, use or implement a different
mail security policy.
Some of the mail servers are more “forgiving” to a scenario of luck or
a problem with the SPF record and, some of the mail servers are
stricter.
Page 15 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
Internal \ outbound spam in Office 365
environment | Article series index
A quick reference for the article series
My E-mail appears as a spam | Article
series index | Part 0#17
The article index of the complete
article series
Introduction to the concept of internal \ outbound spam in general
and in Office 365 and Exchange Online environment
My E-mail appears as a spam –
Introduction | Office 365 | Part 1#17
The psychological profile of the
phenomenon: “My E-mail appears as
a spam!”, possible factors for causing
our E-mail to appear a “spam mail”,
the definition of internal \ outbound
spam.
Internal spam in Office 365 –
Introduction | Part 2#17
Review in general the term: “internal \
outbound spam”, miss conceptions
that relate to this term, the risks that
are involved in this scenario,
Page 16 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
outbound spam E-mail policy and
more.
Internal spam in Office 365 –
Introduction | Part 3#17
What are the possible reasons that
could cause to our mail to appear as
spam\junk mail, who or what are this
“elements”, that can decide that our
mail is a spam mail?, what are the
possible “reactions” of the destination
mail infrastructure that identify our E-
mail as spam\junk mail?.
Commercial E-mail – Using the right
tools | Office 365 | Part 4#17
What is commercial E-mail?
Commercial E-mail as part of the
business process. Why do I think that
Office 365\ Exchange Online is
unsuitable for the purpose of
commercial E-mail?
Introduction if the major causes for a scenario in which your
organization E-mail appears as spam
My E-mail appears as spam | The 7
major reasons | Part 5#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
Page 17 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
1. E-mail content, 2. Violation of the
SMTP standards, 3. Bulk\Mass mail
My E-mail appears as spam | The 7
major reasons | Part 6#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
4. False positive, 5. User Desktop
malware, 6. “Problematic” Website
Introduction if the subject of SPF record in general and in Office
365 environment
What is SPF record good for? | Part
7#17
The purpose of the SPF record and the
relation to for our mail infrastructure.
How does the SPF record enable us to
prevent a scenario in which hostile
elements could send E-mail on our
behalf.
Implementing SPF record | Part 8#17
The “technical side” of the SPF record:
the structure of SPF record, the way
that we create SPF record, what is the
required syntax for the SPF record in
an Office 365 environment + mix mail
environment, how to verify the
existence of SPF record and so on.
Page 18 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
Introduction if the subject of Exchange Online - High Risk Delivery
Pool
High Risk Delivery Pool and Exchange
Online | Part 9#17
How Office 365 (Exchange Online) is
handling a scenario of internal \
outbound spam by using the help of
the Exchange Online- High Risk
Delivery Pool.
High Risk Delivery Pool and Exchange
Online | Part 10#17
The second article about the subject
of Exchange Online- High Risk
Delivery Pool.
The troubleshooting path of internal \ outbound spam scenario
My E-mail appears as spam –
Troubleshooting path | Part 11#17
Troubleshooting scenario of internal \
outbound spam in Office 365 and
Exchange Online environment.
Verifying if our domain name is
blacklisted, verifying if the problem is
related to E-mail content, verifying if
the problem is related to specific
organization user E-mail address,
moving the troubleshooting process
to the “other side.
Page 19 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam |
Troubleshooting – Domain name and
E-mail content | Part 12#17 Verify if
our domain name appears as
blacklisted, verify if the problem
relates to a specific E-mail message
content, registering blacklist
monitoring services, activating the
option of Exchange Online outbound
spam.
My E-mail appears as spam |
Troubleshooting – Mail server | Part
13#17
What is the meaning of: “our mail
server”?, Mail server IP, host name
and Exchange Online. One of our
users got an NDR which informs him,
that his mail server is blacklisted!,
How do we know that my mail server
is blacklisted?
My E-mail appears as spam |
Troubleshooting – Mail server | Part
14#17
The troubleshooting path logic. Get
the information from the E-mail
message that was identified as
spam\NDR. Forwarding a copy of the
NDR message or the message that
saved to the junk mail
Page 20 of 20 | What is SPF record good for? | Part 7#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam |
Troubleshooting – Mail server | Part
15#17
Step B – Get information about your
Exchange Online infrastructure, Step
C – fetch the information about the
Exchange Online IP address, Step D –
verify if the “formal “Exchange Online
IP address a
De-list your organization from a
blacklist | My E-mail appears as spam
| Part 16#17
Review the charters of a scenario in
which your organization appears as
blacklisted. The steps and the
operations that need to be
implemented for de-list your
organization from a blacklist.
Summery and recap of the troubleshooting and best practices in a
scenario of internal \ outbound spam
Dealing and avoiding internal spam |
Best practices | Part 17#17
Provide a short checklist for all the
steps and the operation that relates
to a scenario of – internal \ outbound
spam.