In this article:
Name in API: spf_record_missing
Severity: Medium
Factor: DNS Health
Why this matters
The Sender Policy Framework (SPF) is a simple, but effective, email-validation technique designed to detect forged emails, or spoofing. An SPF record is a list of authorized sending hosts for the domain listed in the return path of an email. It is published as a Domain Name System (DNS) record for that domain in the form of a specially formatted TXT record.
An SPF record is required for spoofed e-mail prevention and anti-spam control. Simple Mail Transfer Protocol (SMTP) does not allow for complete prevention of spoofed emails; however, the SPF header reveals whether or not the email is authentic.
How we discovered it
We look up SPF records for each domain that is part of a Scorecard's Digital Footprint. Records are refreshed approximately every 48 hours.
How you can remediate it
Create a valid Sender Policy Framework (SPF) record. Ensure the configuration of the SPF DNS record to verify syntax and MTA servers.
Note: When publishing an SPF record, use the format type TXT (type 16). Do not use type SPF (type 99), which is deprecated.
Validate the configuration by checking the header of an incoming email that looks for spf=pass.
Allow for DNS caching during testing. It may take up to 48 hours to fully propagate across the internet.
Note: Even if a domain in your organization does not send emails, as with a parked domain, provide a defensive SPF record for it. The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) recommends this as well. Malicious parties can mimic any domain to send spoofed and malicious emails.
How you can resolve it in SecurityScorecard
When submitting a Resolution request, ensure you include supporting evidence where necessary. This will greatly assist us in ensuring your issue is resolved in a timely manner. See the following options for resolving SPF Record Missing findings:
I have fixed this
If you add an SPF record to a domain and validate it with an independent tool, such as SPF Checker, ask us to inspect the record in the resolution process. This will accelerate the removal of the finding.
If you do not accelerate the removal, the finding will decay as in the time period defined in our Scoring methodology whitepaper.
I have a compensating control
A valid compensating control for not having SPF is to have DMARC policy set to reject.
A valid compensating control for having an SPF soft fail is to have DMARC set up to quarantine or reject.
Tip: Learn more about enabling and configuring DMARC.
This is not my IP or domain
Indicate that IP does not belong to your organization, and the DNS entry has been corrected for the IP.
I cannot reproduce this issue and I think it is incorrect
Validate the SPF record with a tool such as SPF Checker, and show us the result.