If you are on this page reading this blog, chances are that you have come across either one of the following prompts:

  • No SPF record found
  • SPF record is missing
  • No SPF record
  • SPF record not found
  • No SPF record published
  • Unable to find SPF record

The prompt simply signifies that your domain is not configured with SPF email authentication standard. An SPF record is a DNS TXT record that is published in your domain’s DNS to authenticate messages by checking them against the authorized IP addresses that are allowed to send emails on behalf of your domain, included in your SPF record. So naturally if your domain is not authenticated with SPF protocol you might come across a “No SPF record found” message.

What is Sender Policy Framework (SPF)?

SPF email authentication standard is a mechanism used to prevent spammers from forging emails. It uses DNS records to verify that the sending server is allowed to send emails from the domain name.  SPF, which stands for Sender Policy Framework, allows you to identify permitted senders of emails on your domain.

SPF is a “path-based” authentication system, implying that it is related to the path that the email takes from the original sending server to the receiving server. SPF not only allows organizations to authorize IP addresses to use its domain names when sending out emails, but also provides a way that a receiving email server can check that authorization.

Do I Need to Configure SPF?

You’ve probably been told that you need SPF (Sender Policy Framework) email authentication. But does a business really need it? And if so, are there any other benefits? That question is usually understood when the enterprise becomes a large e-mail exchanger for their organization. With SPF, you can track email behavior to detect fraudulent messages and protect your business from spam-related issues, spoofing and phishing attacks. SPF, along with DKIM and DMARC, helps you achieve maximum deliverability and brand protection by verifying the identity of the senders.

How Does SPF Function?

  • SPF records are specially formatted Domain Name System (DNS) records published by domain administrators that define which mail servers are authorized to send mail on behalf of that domain.
  • With SPF configured for your domain, whenever an email is sent from your domain the recipient’s mail server looks up the specifications for the return-path domain in the
  • DNS. It subsequently tried to match the IP address of the sender to the authorized addresses defined in your SPF record.
  • According to the SPF policy specifications the receiving server then decides whether to deliver, reject or flag the email in case it fails authentication.

Breaking Down the Syntax of an SPF Record

Let’ take the example of an SPF record for a dummy domain with the correct syntax:

v=spf1  ip4:29.337.148 include:domain.com -all

 

Stopping the “No SPF Record Found” Message

If you want to stop getting the annoying “No SPF record found” prompt all you need to do is configure SPF for your domain by publishing a DNS TXT record. You can use PowerDMARC’S free SPF record generator to create an instant record with the correct syntax, to publish in your DNS.

All you need to do is:

  • Choose if you want to allow servers listed as MX to send emails for your domain
  • Choose if you want to allow current IP address of the domain to send email for this domain
  • Fill in the IP addresses authorized to send emails from your domain
  • Add any other server hostnames or domains that may deliver or relay mail for your domain
  • Choose your SPF policy mode or the level of strictness of the receiving server from Fail (non-compliant emails will be rejected), Soft-fail (Non-compliant emails will be accepted but marked), and Neutral (Mails will probably be accepted)
  • Click on Generate SPF Record to instantly create your record

In case you already have SPF configured for your domain, you can also use our free SPF record checker to lookup and validate your SPF record and detect issues.

Is Publishing an SPF Record Enough?

The answer is no. SPF alone cannot prevent your brand from being impersonated. For optimal protection against direct-domain spoofing, phishing attacks, and BEC, you need to configure DKIM and DMARC for your domain.

Furthermore, SPF has a limit of 10 DNS lookups. If you exceed this limit your SPF will break and authentication will fail for even legitimate emails.This is why you need a dynamic SPF flattener that will help your stay under the 10 DNS lookup limit, as well as keep you updated on changes made by your email exchange providers.

Hopefully this blog helped you resolve your problem and you never have to worry about the “No SPF record found” message bothering you again. Sign up for a free email authentication trial to improve your email deliverability and email security today!

 

An ever-evolving and rampant form of cybercrime that targets emails as the potential medium to conduct fraud, is known as Business Email Compromise. Targeting commercial, government as well as non-profit organizations, BEC can lead to huge amounts of data loss, security breach and compromise financial assets. It is a common misconception that cybercriminals usually lay their focus on MNCs and enterprise-level organizations. SMEs these days are just as much a target to email fraud, as the larger industry players. 

How Can BEC Affect Organizations?

Examples of BEC include sophisticated social engineering attacks like phishing, CEO fraud, fake invoices, and email spoofing, to name a few.  It can also be termed as an impersonation attack wherein an attacker aims to defraud a company, by posing to be people in authoritarian positions. Impersonating people like the CFO or CEO, a business partner or anyone you will blindly place your trust on, is what drives the success of these attacks.

February of 2021 captured the activities of Russian cyber gang Cosmic Lynx, as they took a sophisticated approach towards BEC. The group had already been linked to conducting over 200 BEC campaigns since July 2019, targeting over 46 countries worldwide, focusing on giant MNCs that have a global presence. With extremely well-written phishing emails, they are making it impossible for people to differentiate between real and fake messages.

Remote-working has made video conferencing applications indispensable entities, post-pandemic. Cybercriminals are taking advantage of this situation by sending fraudulent emails that impersonate a notification from the video conferencing platform, Zoom. This is aimed at stealing login credentials to conduct massive company data breaches.

It is clear that the relevance of BEC is rapidly surfacing and increasing in recent times, with threat actors coming up with more sophisticated and innovative ways to get away with fraud. BEC affects more than 70% organizations worldwide and leads to the loss of billions of dollars every year. This is why industry experts are coming up with email authentication protocols like DMARC, to offer a high level of protection against impersonation.

What is Email Authentication?

Email authentication can be referred to as a bevy of techniques deployed to provide verifiable information about the origin of emails. This is done by authenticating the domain ownership of the mail transfer agent(s) involved in the message transfer.

Simple Mail Transfer Protocol (SMTP), which is the industry standard for email transfer has no such in-built feature for message authentication. This is why exploiting the lack of security becomes exceedingly easy for cybercriminals to launch email phishing and domain spoofing attacks. This highlights the need for effective email authentication protocols like DMARC, that actually delivers its claims!

Steps to Prevent BEC with DMARC

 

Step 1: Implementation 

The first step to fighting BEC is actually configuring DMARC for your domain. Domain-based Message Authentication, Reporting and Conformance (DMARC) makes use of SPF and DKIM authentication standards to validate emails sent from your domain. It specifies to receiving servers how to respond to emails that fail either/both of these authentication checks, giving the domain owner control over the receiver’s response. Hence for Implementing DMARC you would need to:

  • Identify all valid email sources authorized for your domain
  • Publish SPF record in your DNS to configure SPF for your domain
  • Publish DKIM record in your DNS to configure DKIM for your domain
  • Publish DMARC record in your DNS to configure DMARC for your domain

In order to avoid complexities you can use PowerDMARC’s free tools ( free SPF record generator, free DKIM record generator, free DMARC record generator) to generate records with the correct syntax, instantly, to publish in your domain’s DNS.

Step 2: Enforcement 

Your DMARC policy can be set to:

  • p=none (DMARC at monitoring only; messages failing authentication would still be delivered)
  • p=quarantine (DMARC at enforcement; messages failing authentication would be quarantined)
  • p=reject (DMARC at maximum enforcement; messages failing authentication would not be delivered at all)

We would recommend you to start using DMARC with a policy enabling monitoring only, so that you can keep a tab on the email flow and delivery issues. However, such a policy wouldn’t provide any protection against BEC. This is why you would eventually need to shift to DMARC enforcement. PowerDMARC helps you seamlessly shift from monitoring to enforcement in no time with a policy of p=reject which will help specify to receiving servers that an email sent from a malicious source using your domain would not be delivered to your recipient’s inbox at all.

Step 3: Monitoring and Reporting 

You have set your DMARC policy at enforcement and have successfully minimized BEC, but is that enough? The answer is no. You still need an extensive and effective reporting mechanism to monitor email flow and respond to any delivery issues. PowerDMARC’s multi-tenant SaaS platform helps you:

  • stay in control of your domain
  • visually monitor authentication results for every email, user and domain registered for you
  • take down abusive IP addresses that try impersonating your brand

DMARC reports are available on the PowerDMARC dashboard in two major formats:

  • DMARC aggregate reports (available in 7 different views)
  • DMARC forensic reports (with encryption for enhanced privacy)

A culmination of DMARC implementation, enforcement and reporting helps you drastically reduce the chances of falling prey to BEC scams and impersonation. 

With Anti-Spam Filters Do I Still Need DMARC?

Yes! DMARC works very differently from your ordinary anti-spam filters and email security gateways. While these solutions usually come integrated with your cloud-based email exchanger services, they can only offer protection against inbound phishing attempts. Messages sent from your domain, still remain under the threat of impersonation. This is where DMARC steps in.

Additional Tips for Enhanced Email Security

 

Always Stay under the 10 DNS Lookup Limit 

Exceeding the SPF 10 lookup limit can completely invalidate your SPF record and cause even legitimate emails to fail authentication. In such cases if you have your DMARC set to reject, authentic emails will fail to get delivered. PowerSPF is your automatic and dynamic SPF record flattener that mitigates SPF permerror by helping you stay under the SPF hard limit. It auto updates netblocks and scans for changes made by your email service providers to their IP addresses constantly, without any intervention from your side.

Ensure TLS Encryption of Emails in Transit

While DMARC can protect you from social engineering attacks and BEC, you still need to gear up against pervasive monitoring attacks like Man-in-the-middle (MITM). This can be done by ensuring that a connection secured over TLS is negotiated between SMTP servers every time an email is sent to your domain. PowerDMARC’s hosted MTA-STS makes TLS encryption mandatory in SMTP and comes with an easy implementation procedure.

Get Reports on Issues in Email Delivery

You can also enable SMTP TLS reporting to get diagnostic reports on email delivery issues after configuring MTA-STS for your domain. TLS-RPT helps you gain visibility  into your email ecosystem, and better respond to issues in negotiating a secured connection leading to delivery failures. TLS reports are available in two views (aggregate reports per result and per sending source) on the PowerDMARC dashboard.

Amplify Your Brand Recall with BIMI 

With BIMI (Brand Indicators for Message Identification) you can take your brand recall to a whole new level by helping your recipients visually identify you in their inboxes. BIMI works by attaching your unique brand logo to every email you send out from your domain. PowerDMARC makes BIMI implementation easy with just 3 simple steps on the user’s part.

PowerDMARC is your one-stop destination for an array of email authentication protocols including DMARC, SPF, DKIM, BIMI, MTA-STS, and TLS-RPT. Sign up today to get your free DMARC Analyzer trial!

A very common problem that SPF users face on a daily basis is the risk of generating too many DNS lookups that can make them easily exceed the SPF hard limit. This returns an SPF PermError result when DMARC monitoring is enabled and causes email deliverability issues. With industry experts coming up with solutions like SPF flattening services to mitigate this issue, PowerSPF actually delivers its claims and exceeds expectations. Read on to learn how!

Too Many DNS Lookups: Why Does This Happen?

The first thing you should understand is why you end up generating too many DNS lookups in the first place. This is because, no matter what email exchanger solution you use, your service provider adds more mechanisms to your record resulting in more lookups.

For example if you use Google’s email exchanger, or Gmail, an SPF record like v=spf1 include:[email protected] -all  actually generates a total of 4 DNS lookups. Nested includes also initiate more lookups and if you use several third-party vendors to send emails using your domain, you can easily exceed the 10 DNS lookup limit.

Is SPF Flattening the Solution? No!

The answer is no. SPF manual flattening can help you stay under the SPF 10 lookup limit, but it has its own set of limitations and challenges. If you flatten your SPF manually, it is simply replacing the include statements in your SPF record with their corresponding IP addresses to eliminate the need for lookups. This ensures that you don’t end up generating too many DNS lookups in the first place, thereby helping you stay under the 10 lookup SPF limit and avoid permerror . But problems with manual SPF flattening solutions are:

  • The SPF record length can be too long (more than 255 characters)
  • Your email service provider can change or add to their IP addresses without notifying you
  • There is no dashboard to monitor email flow, change or update your domains and mechanisms, and track activities
  • You need to constantly make changes to your DNS to update your SPF record
  • Your email deliverability might be impacted due to the frequent IP changes

How do these affect you? Well, if your SPF record isn’t updated on the new IP addresses your email service providers are using, every now and then when these IP addresses are used your emails will inevitably fail SPF on the receiver’s side. 

Dynamic SPF Flattening to Resolve Too Many DNS Lookups

A smarter solution to bid adieu to DNS lookups error is PowerSPF, your automatic SPF record flattener. PowerSPF is your real-time SPF flattening solution that helps you:

  • Easily configure SPF for your domain with just a few clicks
  • One-click instant SPF record flattening with a single include statement to enjoy automatic SPF include management
  • Always stay under the 10 DNS lookup limit
  • Auto update netblock and scan for changed IP addresses constantly to keep your SPF record up-to-date
  • Maintain a user-friendly dashboard wherein you can easily update changes to your policies, add domains and mechanisms, and monitor email flow.

Why rely on SPF compression tools that can provide temporary results with underlying limitations? Optimize your SPF Record and mitigate the SPF hard limit with  Automatic SPF today! Sign up for PowerSPF now?

What is ARC?

ARC or Authenticated Received Chain is an email authentication system that displays an email’s authentication assessment each step of the way, throughout handling. In simpler terms, the Authenticated Received chain can be termed as a “ chain of custody” for email messages that enable each entity that handles the messages to effectively see all the entities that previously handled it. As a relatively new protocol published and documented as “Experimental” in RFC 8617 on July 2019, ARC enables the receiving server to validate emails even when SPF and DKIM are rendered invalid by an intermediate server.

How Can Authenticated Received Chain Help?

As we already know, DMARC allows an email to be authenticated against the SPF and DKIM email authentication standards, specifying to the receiver how to handle the emails that fail or pass authentication. However, if you implement DMARC enforcement at your organization to a strict DMARC policy, there are chances that even legitimate emails such as those sent through a mailing list or a forwarder, may fail authentication and not get delivered to the receiver! Authenticated Received Chain helps mitigate this problem effectively. Let’s learn how in the following section:

Situations in Which ARC Can Help

  • Mailing Lists 

As a member of a mailing list, you have the power to send messages to all members in the list at one go by addressing the mailing list itself. The receiving address then subsequently forwards your message to all list members. In the current situation, DMARC fails to validate these types of messages and the authentication fails even though the email has been sent from a legitimate source! This is because SPF breaks when a message is forwarded. As the mailing list often goes on to incorporate extra information in the email body, the DKIM signature can also be invalidated due to changes in the email content.

  • Forwarding Messages 

When there is an indirect mail flow, such as you are receiving an email from an intermediate server and not directly from the sending server as in the case of forwarded messages, SPF breaks and your email will automatically fail DMARC authentication. Some forwarders also alter the email content which is why the DKIM signatures also get invalidated.

 

 

In such situations, Authenticated Received Chain comes to the rescue! How? Let’s find out:

How Does ARC Function?

In the situations listed above, the forwarders had initially received emails that had been validated against DMARC setup, from an authorized source. Authenticated Received Chain is developed as a specification that allows the Authentication-Results header to be passed on to the next ‘hop’ in the line of the message delivery.

In case of a forwarded message, when the receiver’s email server receives a message that had failed DMARC authentication, it tries to validate the email for a second time, against the provided Authenticated Received Chain for the email by extracting the ARC Authentication-Results of the initial hop, to check whether it was validated to be legitimate before the intermediary server forwarded it to the receiving server.

On the basis of the information extracted, the receiver decides whether to allow the ARC results to override the DMARC policy, thereby passing the email as authentic and valid and allowing it to be delivered normally into the receiver’s inbox.

With ARC implementation, the receiver can effectively authenticate the email with the help of the following information:

  • The authentication results as witnessed by the intermediate server, along with the entire history of SPF and DKIM validation results in the initial hop.
  • Necessary information to authenticate the sent data.
  • Information to link the sent signature to the intermediary server so that the email gets validated in the receiving server even if the intermediary alters the content, as long as they forward a new and valid DKIM signature.

Implementation of Authenticated Received Chain

ARC defines three new mail headers:

  • ARC-Authentication-Results (AAR): First among the mail headers is the AAR that encapsulates the authentication results such as SPF, DKIM, and DMARC.

  • ARC-Seal (AS) – AS is a simpler version of a DKIM signature, that contains information on authentication header results, and ARC signature.

  • ARC-Message-Signature (AMS) – AMS is also similar to a DKIM signature, which takes an image of the message header which incorporates everything apart from ARC-Seal headers such as the To: and From: fields, subject, and the entire body of the message.

Steps performed by the intermediate server to sign a modification:

Step 1: the server copies the Authentication-Results field into a new AAR field and prefixes it to the message

Step 2: the server formulates the AMS for the message (with the AAR) and prepends it to the message.

Step 3: the server formulates the AS for the previous ARC-Seal headers and adds it to the message.

Finally, to validate the Authenticated Received Chain and find out whether a forwarded message is legitimate or not, the receiver validates the chain or ARC Seal-headers and the newest ARC-Message-Signature. If in case the ARC headers have been altered in any way the email consequently fails DKIM authentication. However, if all mail servers involved in the transmission of the message correctly sign and transmit ARC then the email preserves the DKIM authentication results, and passes DMARC authentication, resulting in the successful delivery of the message in the receiver’s inbox!

ARC implementation backs-up and supports DMARC adoption in organizations to make sure that every legitimate email gets authenticated without a single lapse. Sign up for your free DMARC trial today!

 

Reasons why to avoid SPF Flattening

Sender Policy Framework, or SPF is a widely acclaimed email authentication protocol that validates your messages by authenticating them against all the authorized IP addresses registered for your domain in your SPF record. In order to validate emails, SPF specifies to the receiving mail server to perform DNS queries to check for authorized IPs, resulting in DNS lookups.

Your SPF record exists as a DNS TXT record that is formed of an assemblage of various mechanisms. Most of these mechanisms (such as include, a, mx, redirect, exists, ptr) generate DNS lookups. However, the maximum number of DNS lookups for SPF authentication is limited to 10. If you are using various third-party vendors to send emails using your domain, you can easily exceed the SPF hard limit.

You might be wondering, what happens if you exceed this limit? Exceeding the 10 DNS lookup limit will lead to SPF failure and invalidate even legitimate messages sent from your domain. In such cases the receiving mail server returns an SPF PermError report to your domain if you have DMARC monitoring enabled.This makes us come to the primary topic of discussion for this blog: SPF flattening.

What is SPF Flattening?

SPF record flattening is one of the popular methods used by industry experts to optimize your SPF record and avoid exceeding the SPF hard limit. The procedure for SPF flattening is quite simple. Flattening your SPF record is the process of replacing all include mechanisms with their respective IP addresses to eliminate the need for performing DNS lookups.

For example, if your SPF record initially looked something like this:

v=spf1 include:spf.domain.com -all

A flattened SPF record will look something like this:

v=spf1 ip4:168.191.1.1 ip6:3a02:8c7:aaca:645::1 -all

This flattened record generates only one DNS lookup, instead of performing multiple lookups. Reducing the number of DNS queries performed by the receiving server during email authentication does help in staying under the 10 DNS lookup limit, however, it has problems of its own.

The Problem with SPF Flattening

Apart from the fact that your manually flattened SPF record may get too lengthy to publish on your domain’s DNS (exceeding the 255 character limit), you have to take into account that your email service provider may change or add to their IP addresses without notifying you as the user. Every now and then when your provider makes changes to their infrastructure, these alterations would not be reflected in your SPF record. Hence, whenever these changed or new IP addresses are used by your mail server, the email fails SPF on the receiver’s side.

PowerSPF: Your Dynamic SPF Record Generator

The ultimate goal of PowerDMARC was to come up with a solution that can prevent domain owners from hitting the 10 DNS lookup limit, as well as optimize your SPF record to always stay updated on the latest IP addresses your email service providers are using. PowerSPF is your automated SPF flattening solution that pulls through your SPF record to generate a single include statement. PowerSPF helps you:

  • Add or remove IPs and mechanisms with ease
  • Auto update netblocks to make sure your authorized IPs are always up-to-date
  • Stay under the 10 DNS lookup limit with ease
  • Get an optimized SPF record with a single click
  • Permanently defeat ‘permerror’
  • Implement error free SPF

Sign up with PowerDMARC today to ensure enhanced email deliverability and authentication, all while staying under the 10 DNS SPF lookup limit.

As a domain owner you always need to look out for threat actors launching domain spoofing attacks and phishing attacks to use your domain or brand name for carrying out malicious activities. No matter what email exchange solution you use, protecting your domain from spoofing and impersonation is imperative to ensure brand credibility and maintain trust among your esteemed customer-base. This blog will take you through the process of setting up your DMARC record for Office 365 users.

In recent times, a majority of businesses have made a shift towards using effective and robust cloud-based platforms and hosted email exchange solutions such as Office 365. Subsequently, cybercriminals have also upgraded their malicious techniques to conduct email fraud by outmanoeuvring the security solutions that are integrated into the platform. This is why Microsoft has extended support towards email authentication protocols like DMARC across all of its email platforms. But you should know how to correctly implement DMARC for Office 365, in order to fully utilize its benefits.

Why DMARC?

The first question that might arise is that, with anti-spam solutions and email security gateways already integrated into the Office 365 suite to block fake emails, why would you require DMARC for authentication? This is because while these solutions specifically protect against inbound phishing emails sent to your domain, DMARC authentication protocol gives domain owners the power to specify to receiving email servers how to respond to emails sent from your domain that fail authentication checks.

DMARC makes use of two standard authentication practices, namely SPF and DKIM to validate emails for authenticity. With a policy set to enforcement, DMARC can offer a high level of protection against impersonation attacks and direct-domain spoofing.

Do you really need DMARC while using Office 365?

There’s a common misconception among businesses, that having an Office 365 solution ensures safety from spam and phishing attacks. However, in May 2020, a series of phishing attacks on several Middle Eastern insurance firms using Office 365 caused significant data loss and an unprecedented amount of security breach. This is why simply relying on Microsoft’s integrated security solutions and not implementing external efforts for protecting your domain can be a huge mistake!

While Office 365’s integrated security solutions can offer protection against inbound security threats and phishing attempts, you still need to ensure that outbound messages sent from your own domain are authenticated effectively before landing into the inboxes of your customers and partners. This is where DMARC steps in.

Securing Office 365 against Spoofing and Impersonation with DMARC

Security solutions that come with the Office 365 suite act as spam filters that cannot secure your domain from impersonation, highlighting the need for DMARC. DMARC exists as a DNS TXT record in your domain’s DNS. For configuring DMARC for your domain, you need to:

Step 1: Identify valid email sources for your domain
Step 2: Set up SPF for your domain
Step 3: Set up DKIM for your domain
Step 4: Publish a DMARC TXT record in your domain’s DNS

You can use PowerDMARC’s free DMARC record generator to generate a record instantly with the correct syntax to publish in your DNS and configure DMARC for your domain. However, note that only an enforcement policy of reject can effectively help you mitigate impersonation attacks and domain abuse.

But is publishing a DMARC record enough? The answer is no. This takes us to our last and final segment which is DMARC reporting and monitoring.

5 Reasons Why You need PowerDMARC while Using Microsoft Office365

Microsoft Office 365 provides users with a host of cloud-based services and solutions along with integrated anti-spam filters. However despite of the various advantages, these are the drawbacks you might face while using it from a security perspective:

  • No solution for validating outbound messages sent from your domain
  • No reporting mechanism for emails failing authentication checks
  • No visibility into your email ecosystem
  • No dashboard to manage and monitor your inbound and outbound email flow
  • No mechanism to ensure your SPF record is always under 10 lookup limit

DMARC Reporting and Monitoring with PowerDMARC

PowerDMARC seamlessly integrates with Office 365 to empower domain owners with advanced authentication solutions that protects against sophisticated social engineering attacks like BEC and direct-domain spoofing. When you sign up with PowerDMARC you are signing up for a multi-tenant SaaS platform that not only assembles all email authentication best practices (SPF, DKIM, DMARC, MTA-STS, TLS-RPT and BIMI), but also provides an extensive and in-depth dmarc reporting mechanism, that offers complete visibility into your email ecosystem. DMARC reports on the PowerDMARC dashboard are generated in two formats:

  • Aggregate Reports
  • Forensic reports

We have strived to make the authentication experience better for you by solving various industry problems. We ensure encryption of your DMARC forensic reports as well as display aggregate reports in 7 different views for enhanced user-experience and clarity. PowerDMARC helps you monitor email flow and authentication failures, and blacklist malicious IP addresses from all over the world. Our DMARC analyzer tool aids you in configuring DMARC correctly for your domain, and shifting from monitoring to enforcement in no time!