Category: Deliveribility

Sender Policy Framework (SPF) is an email authentication mechanism that protects businesses against spoofing attacks and unauthorised senders. As a business owner, it’s essential to know how it works and understand the benefits of implementing it.

How Does SPF Work?

SPF enables the receiving email server to check that an email claiming to come from a specific domain comes from an IP address authorised by that domain’s administrator. An SPF record is published in the DNS as a TXT resource type, specifying allowed-sender hosts for the selected fields.

When an email arrives at its destination, the receiving server looks up the corresponding record and checks if the source IP address of that message matches any of those listed in the SPF record. If not, this is suspicious, as the domain’s administrator did not authorise this source.

What are the Benefits?

There are many benefits to your email marketing. Firstly, it prevents spoofing attacks that can be used to steal data or commit fraud, which could be disastrous for your business’s reputation and success.

Secondly, it ensures only legitimate senders can use your domain name when sending emails on behalf of your company.

Thirdly, it helps ensure all emails contain accurate information about their origin so that spam filters do not block legitimate emails from your company’s address.

This means more customers are likely to receive important messages related to sales or customer service inquiries instead of getting blocked or marked as spam.

Ultimately, you are protecting yourself and your customers by verifying and authenticating where emails are coming from and ensuring that only authorised users can send emails on behalf of your business. This process increases customer trust, improves security, and appears in full headers to show you have taken precautions to protect data.

Risks of an incorrect setup

Recently a security architect named Chris Plummer was able to take advantage of an SPF vulnerability that occurs when it is not implemented or is done so incorrectly.

Using the vulnerability he was able to bypass Google’s authentication checks with spoof email claiming to be sent from UPS, even managing to get it to display the logo and blue check.

BIMI did release a statement that explained the check works as expected and the problem is purely the result of a vulnerability that predates the existence of BIMI and DMARC.

How To Create An SPF Record

In order to create an SPF record you need to specify the version of SPF that you are using, the list of IP addresses that have permission to send email on behalf of the domain, any third party domains that also have permission and lastly, add the ‘all’ tag defining the policy applied if an unauthorised server sends on your behalf.

An example, with a ‘fail’ policy will look a little bit like:
v=spf1 ip4:xxx.xxx.xxx.xxx include: domain.com -all

Once prepared it is possible to use a record checker tool that will compare it with a set of criteria confirming whether it has been set up correctly.

SPF Checker Criteria

To ensure a secure and protected email system, a record checker tool provides stringent security in identifying spoofed emails. These checks involve the criteria of making sure there are fallback mechanisms and that the SPF macro is valid.

Another important factor the checker tool will test for is the number of DNS lookups, it’s important that it does not exceed the maximum of ten; if so, you may need to re-evaluate and simplify the configuration.

Once you have gone through this process and passed the criteria set forth by the checker tool, you can add the record to your DNS as a TXT resource type.

With all criteria met you can have confidence in your email reputation, knowing that only authorised senders will be able to deliver mail on behalf of your domain.

Overall, this distinction between authenticated and non-authenticated emails provides an extra layer of trust for online users relying on messages and communication via emails.

Conclusion

Implementing a Sender Policy Framework correctly is essential for protecting your business, stakeholders and customers.

While creating the TXT records and using the checker tools to verify a correct setup are relatively straightforward, troubleshooting isn’t always so easy.

If you want to avoid all the trouble of setting up an SPF record, having a professional inbox-focused company supporting your email marketing campaigns helps you make the process easier and more efficient.

This way, you’ll be able to ensure your business is adequately protected against malicious threats and provide a secure online environment for customers to communicate with you effectively – without having to lift a finger!

At InboxWizards, we offer clients a comprehensive suite of email services to help keep their businesses safe and secure. Contact us today for more information!

Have you ever received an email from a business or service only to be suspicious of its authenticity? Has someone ever sent you an email that seemed too good to be true?

DomainKeys Identified Mail (DKIM) helps ensure the process of sending emails is protected from bad actors. In this post we will explain what it is, why it’s important and some of the issues that may arise.

What Is DKIM?

DKIM uses encryption and decryption of additional signatures in email headers, which requires both public and private keys.

This practice helps protect your brand’s reputation by ensuring that emails are sent with integrity. By adding the public key as a TXT record on your server’s DNS records, you can verify that all emails sent out by your team are legitimate and not coming from malicious sources.

Different domain hosts have different methods for setting it up. For example, Google Apps users must manually turn it on in their Admin console, while other hosts, such as Microsoft, Zoho, or NameCheap, require different steps.

Why Should You Use Both SPF and DKIM?

SPF is a mechanism that allows you to specify which IPs are authorised to send emails from your domain. An SPF Check is a simple validation that the email is sent from an IP you allow, but this alone can’t guarantee the authenticity of a message.

They both offer an important layer of protection individually and they both have their limitations. Implementing the two of them therefore reduces the potential risk of your business being the victim of cybercrime.

It is important SPF is setup correctly to avoid the risk of a vulnerability being taken advantage of.

Recently, Google reportedly made DKIM a mandatory requirement for DMARC after such an event. Our article on SPF will give you some pointers for getting started.

It is also worth mentioning that, DMARC is also necessary for BIMI, which provides you with even more protection.

And with every effort you make to protect your business and your customer information, the better your odds are of reaching the inbox and improving engagement.

How DKIM Could Fail

DKIM authentications can often fail due to a variety of reasons, such as misalignment between the signature domain and sender domain, an incorrect or non-existent public key, an issue with the sender’s domain DNS zone lookup, and also if the length of the key used for signing is too short.

It is especially difficult to avoid failure during checks if auto-forwarding appends footers that change the message body. To address this challenge, major Email Service Providers (ESPs) now use Authenticated Received Chain (ARC) protocol which helps identify mail servers that handled messages before and assess their authentication at each step in handling.

Conclusion

Business owners and entrepreneurs need to understand the importance of DKIM to protect themselves from malicious spoofing attempts. At the same time, while many understand its value, few take the time to set it up properly.

That is where we can help!

At InboxWizards, we offer solutions for all aspects for email authentication settings within your email accounts and with our Domain Check-up feature, you can always be sure that things are running smoothly.

We will make sure that all emails sent are authenticated and secure, increasing email deliverability and protecting your business from malicious attacks.

With more than a decade of experience in the field we understand how important it is for you to protect your domain. Let us show you the power of authentication today.