Many organizations have invested in email fraud education for employees and consumers. But despite this investment, people continue to be deceived by business email compromise (BEC)—highly-targeted, low volume attacks that trick employees by spoofing trusted corporate identities—and credential phishing scams. And they work. According to Verizon, 30 percent of phishing messages get opened by targeted users and 12 percent of those users click on malicious attachments.
Email authentication, not people, should always be your first line of defense against impostor email attacks. It removes the guesswork for targeted recipients by identifying and blocking bad messages before they reach the inbox.
There are three key email authentication protocols that are critical for every organization to implement:
- Sender Policy Framework (SPF)
- DomainKeys Identified Mail (DKIM)
- Domain-based Message Authentication Reporting and Conformance (DMARC)
In this post, we’ll talk about SPF—what it is, how it works, and why it matters. But in order to understand SPF, it’s important to understand the anatomy of an email message, especially the parts you don’t normally see.
Two Email Headers
Each email message contains two “headers,” a visible header, which you can see at the top of any email message and a hidden, technical header. Each header contains a “from” email address: the one you see in the visible header (a.k.a. “header from” or “friendly from”) and the “envelope from” address that is contained in the hidden technical header of the email (a.k.a. Return Path or mfrom). Here are examples of what each header looks like:
Visible header:
Technical, hidden header:
Keep this in mind as you read on about what SPF is all about.
What is SPF?
SPF is an email authentication protocol that allows your company to specify who is allowed to send email on behalf of your domain. You can authorize senders for email providers within an SPF record published within the Domain Name System (DNS). This record includes your list of approved IP addresses and vendor IP addresses.
How does SPF work?
Before delivering a message, email providers will verify the SPF record by looking up the domain included in the “envelope from” address (a.k.a. Return Path or “mfrom”) within the hidden technical header of the email. As you can see in the example above, the domain name of the “envelope from” address is mint.com. If the IP address sending email on behalf of this domain is not listed in the domain’s SPF record, the message fails SPF authentication.
Why does SPF matter?
Because SPF discourages cybercriminals from spoofing your domain, spam filters will be less likely to blacklist it. This improved reputation improves the deliverability of your legitimate mail.
But SPF, on its own, is not sufficient to block phishing emails targeting your employees and customers. It has a few major challenges:
- Accuracy: the vendors sending email on your brand’s behalf often change and multiply. If you don’t have visibility into these changes in real time, your SPF records will become out of date.
- Tolerance: SPF is one of many signals that email providers use to inform their delivery decision. An SPF failure does not guarantee that the message will be blocked.
- Immunity: If an email is forwarded, the SPF record breaks.
- Protection: SPF does not protect the “header from” address, which users see in their email clients, from being spoofed. Cybercriminals can pass SPF by including a domain they own in the “envelope from” address and still spoof a legitimate brand’s domain in visible from address.
Luckily, other email authentication technology can fill these gaps. Stay tuned for our next email authentication post—we’ll break down what another protocol, DKIM (DomainKeys Identified Mail), is all about.
Is your SPF record up to date? Use this tool to find out which servers are authorized to send email on behalf of your domains.