Posts

If you are on this page reading this blog, chances are that you have come across either one of the following prompts:

  • No SPF record found
  • SPF record is missing
  • No SPF record
  • SPF record not found
  • No SPF record published
  • Unable to find SPF record

The prompt simply signifies that your domain is not configured with SPF email authentication standard. An SPF record is a DNS TXT record that is published in your domain’s DNS to authenticate messages by checking them against the authorized IP addresses that are allowed to send emails on behalf of your domain, included in your SPF record. So naturally if your domain is not authenticated with SPF protocol you might come across a “No SPF record found” message.

What is Sender Policy Framework (SPF)?

SPF email authentication standard is a mechanism used to prevent spammers from forging emails. It uses DNS records to verify that the sending server is allowed to send emails from the domain name.  SPF, which stands for Sender Policy Framework, allows you to identify permitted senders of emails on your domain.

SPF is a “path-based” authentication system, implying that it is related to the path that the email takes from the original sending server to the receiving server. SPF not only allows organizations to authorize IP addresses to use its domain names when sending out emails, but also provides a way that a receiving email server can check that authorization.

Do I Need to Configure SPF?

You’ve probably been told that you need SPF (Sender Policy Framework) email authentication. But does a business really need it? And if so, are there any other benefits? That question is usually understood when the enterprise becomes a large e-mail exchanger for their organization. With SPF, you can track email behavior to detect fraudulent messages and protect your business from spam-related issues, spoofing and phishing attacks. SPF, along with DKIM and DMARC, helps you achieve maximum deliverability and brand protection by verifying the identity of the senders.

How Does SPF Function?

  • SPF records are specially formatted Domain Name System (DNS) records published by domain administrators that define which mail servers are authorized to send mail on behalf of that domain.
  • With SPF configured for your domain, whenever an email is sent from your domain the recipient’s mail server looks up the specifications for the return-path domain in the
  • DNS. It subsequently tried to match the IP address of the sender to the authorized addresses defined in your SPF record.
  • According to the SPF policy specifications the receiving server then decides whether to deliver, reject or flag the email in case it fails authentication.

Breaking Down the Syntax of an SPF Record

Let’ take the example of an SPF record for a dummy domain with the correct syntax:

v=spf1  ip4:29.337.148 include:domain.com -all

 

Stopping the “No SPF Record Found” Message

If you want to stop getting the annoying “No SPF record found” prompt all you need to do is configure SPF for your domain by publishing a DNS TXT record. You can use PowerDMARC’S free SPF record generator to create an instant record with the correct syntax, to publish in your DNS.

All you need to do is:

  • Choose if you want to allow servers listed as MX to send emails for your domain
  • Choose if you want to allow current IP address of the domain to send email for this domain
  • Fill in the IP addresses authorized to send emails from your domain
  • Add any other server hostnames or domains that may deliver or relay mail for your domain
  • Choose your SPF policy mode or the level of strictness of the receiving server from Fail (non-compliant emails will be rejected), Soft-fail (Non-compliant emails will be accepted but marked), and Neutral (Mails will probably be accepted)
  • Click on Generate SPF Record to instantly create your record

In case you already have SPF configured for your domain, you can also use our free SPF record checker to lookup and validate your SPF record and detect issues.

Is Publishing an SPF Record Enough?

The answer is no. SPF alone cannot prevent your brand from being impersonated. For optimal protection against direct-domain spoofing, phishing attacks, and BEC, you need to configure DKIM and DMARC for your domain.

Furthermore, SPF has a limit of 10 DNS lookups. If you exceed this limit your SPF will break and authentication will fail for even legitimate emails.This is why you need a dynamic SPF flattener that will help your stay under the 10 DNS lookup limit, as well as keep you updated on changes made by your email exchange providers.

Hopefully this blog helped you resolve your problem and you never have to worry about the “No SPF record found” message bothering you again. Sign up for a free email authentication trial to improve your email deliverability and email security today!

 

A very common problem that SPF users face on a daily basis is the risk of generating too many DNS lookups that can make them easily exceed the SPF hard limit. This returns an SPF PermError result when DMARC monitoring is enabled and causes email deliverability issues. With industry experts coming up with solutions like SPF flattening services to mitigate this issue, PowerSPF actually delivers its claims and exceeds expectations. Read on to learn how!

Too Many DNS Lookups: Why Does This Happen?

The first thing you should understand is why you end up generating too many DNS lookups in the first place. This is because, no matter what email exchanger solution you use, your service provider adds more mechanisms to your record resulting in more lookups.

For example if you use Google’s email exchanger, or Gmail, an SPF record like v=spf1 include:[email protected] -all  actually generates a total of 4 DNS lookups. Nested includes also initiate more lookups and if you use several third-party vendors to send emails using your domain, you can easily exceed the 10 DNS lookup limit.

Is SPF Flattening the Solution? No!

The answer is no. SPF manual flattening can help you stay under the SPF 10 lookup limit, but it has its own set of limitations and challenges. If you flatten your SPF manually, it is simply replacing the include statements in your SPF record with their corresponding IP addresses to eliminate the need for lookups. This ensures that you don’t end up generating too many DNS lookups in the first place, thereby helping you stay under the 10 lookup SPF limit and avoid permerror . But problems with manual SPF flattening solutions are:

  • The SPF record length can be too long (more than 255 characters)
  • Your email service provider can change or add to their IP addresses without notifying you
  • There is no dashboard to monitor email flow, change or update your domains and mechanisms, and track activities
  • You need to constantly make changes to your DNS to update your SPF record
  • Your email deliverability might be impacted due to the frequent IP changes

How do these affect you? Well, if your SPF record isn’t updated on the new IP addresses your email service providers are using, every now and then when these IP addresses are used your emails will inevitably fail SPF on the receiver’s side. 

Dynamic SPF Flattening to Resolve Too Many DNS Lookups

A smarter solution to bid adieu to DNS lookups error is PowerSPF, your automatic SPF record flattener. PowerSPF is your real-time SPF flattening solution that helps you:

  • Easily configure SPF for your domain with just a few clicks
  • One-click instant SPF record flattening with a single include statement to enjoy automatic SPF include management
  • Always stay under the 10 DNS lookup limit
  • Auto update netblock and scan for changed IP addresses constantly to keep your SPF record up-to-date
  • Maintain a user-friendly dashboard wherein you can easily update changes to your policies, add domains and mechanisms, and monitor email flow.

Why rely on SPF compression tools that can provide temporary results with underlying limitations? Optimize your SPF Record and mitigate the SPF hard limit with  Automatic SPF today! Sign up for PowerSPF now?

Reasons why to avoid SPF Flattening

Sender Policy Framework, or SPF is a widely acclaimed email authentication protocol that validates your messages by authenticating them against all the authorized IP addresses registered for your domain in your SPF record. In order to validate emails, SPF specifies to the receiving mail server to perform DNS queries to check for authorized IPs, resulting in DNS lookups.

Your SPF record exists as a DNS TXT record that is formed of an assemblage of various mechanisms. Most of these mechanisms (such as include, a, mx, redirect, exists, ptr) generate DNS lookups. However, the maximum number of DNS lookups for SPF authentication is limited to 10. If you are using various third-party vendors to send emails using your domain, you can easily exceed the SPF hard limit.

You might be wondering, what happens if you exceed this limit? Exceeding the 10 DNS lookup limit will lead to SPF failure and invalidate even legitimate messages sent from your domain. In such cases the receiving mail server returns an SPF PermError report to your domain if you have DMARC monitoring enabled.This makes us come to the primary topic of discussion for this blog: SPF flattening.

What is SPF Flattening?

SPF record flattening is one of the popular methods used by industry experts to optimize your SPF record and avoid exceeding the SPF hard limit. The procedure for SPF flattening is quite simple. Flattening your SPF record is the process of replacing all include mechanisms with their respective IP addresses to eliminate the need for performing DNS lookups.

For example, if your SPF record initially looked something like this:

v=spf1 include:spf.domain.com -all

A flattened SPF record will look something like this:

v=spf1 ip4:168.191.1.1 ip6:3a02:8c7:aaca:645::1 -all

This flattened record generates only one DNS lookup, instead of performing multiple lookups. Reducing the number of DNS queries performed by the receiving server during email authentication does help in staying under the 10 DNS lookup limit, however, it has problems of its own.

The Problem with SPF Flattening

Apart from the fact that your manually flattened SPF record may get too lengthy to publish on your domain’s DNS (exceeding the 255 character limit), you have to take into account that your email service provider may change or add to their IP addresses without notifying you as the user. Every now and then when your provider makes changes to their infrastructure, these alterations would not be reflected in your SPF record. Hence, whenever these changed or new IP addresses are used by your mail server, the email fails SPF on the receiver’s side.

PowerSPF: Your Dynamic SPF Record Generator

The ultimate goal of PowerDMARC was to come up with a solution that can prevent domain owners from hitting the 10 DNS lookup limit, as well as optimize your SPF record to always stay updated on the latest IP addresses your email service providers are using. PowerSPF is your automated SPF flattening solution that pulls through your SPF record to generate a single include statement. PowerSPF helps you:

  • Add or remove IPs and mechanisms with ease
  • Auto update netblocks to make sure your authorized IPs are always up-to-date
  • Stay under the 10 DNS lookup limit with ease
  • Get an optimized SPF record with a single click
  • Permanently defeat ‘permerror’
  • Implement error free SPF

Sign up with PowerDMARC today to ensure enhanced email deliverability and authentication, all while staying under the 10 DNS SPF lookup limit.

For enterprises as well as small businesses who are in possession of an email domain for sending and receiving messages among their clients, partners and employees, it is highly probable that an SPF record exists by default, which has been set up by your inbox service provider. No matter if you have a pre-existent SPF record or you need to create a new one, you need to optimize your SPF record correctly for your domain in order to ensure that it causes no email delivery issues.

Some email recipients strictly require SPF, which indicates that if you do not have an SPF record published for your domain your emails may be marked as spam in your receiver’s inbox. Moreover, SPF helps in detecting unauthorized sources sending emails on behalf of your domain.

Let us first understand what is SPF and why do you need it?

Sender Policy Framework (SPF)

SPF is essentially a standard email authentication protocol that specifies the IP addresses that are authorized to send emails from your domain. It operates by comparing sender addresses against the list of authorized sending hosts and IP addresses for a specific domain that is published in the DNS for that domain.

SPF, along with DMARC (Domain-based Message Authentication, Reporting and Conformance) is designed to detect forged sender addresses during email delivery and prevent spoofing attacks, phishing and email scams.

It is important to know that although the default SPF integrated into your domain by your hosting provider ensures that emails sent from your domain are authenticated against SPF, if you have  multiple third-party vendors to send emails from your domain, this pre-existent SPF record needs to be tailored and modified to suit your requirements. How can you do that? Let’s explore two of the most common ways:

  • Creating a brand new SPF record
  • Optimizing an existing SPF record

Create a Brand New SPF Record

Creating a SPF record is simply publishing a TXT record in your domain’s DNS to configure SPF for your domain. If you are just starting out with authentication and unsure about the syntax, you can use our free online SPF record generator to create a SPF record for your domain.

An SPF record entry with a correct syntax will look something like this:

v=spf1  ip4:38.146.237 include:example.com -all

v=spf1Specifies the version of SPF being used
ip4/ip6This mechanism specifies the valid IP addresses that are authorized to send emails from your domain.
includeThis mechanism tells the receiving servers to include the values for the SPF record of the specified domain.
-allThis mechanism specifies that emails that are not SPF compliant would be rejected. This is the recommended tag you can use while publishing your SPF record. However it can be replaced with ~ for SPF Soft Fail (non-compliant emails would be marked as soft fail but would still be accepted) Or + which specifies that any and every server would be allowed to send emails on behalf of your domain, which is strongly discouraged.

If you already have SPF configured for your domain, you can also use our free SPF record checker to lookup and validate your SPF record and detect issues.

Common Challenges and Errors while Configuring SPF

1) 10 DNS Lookup limit 

The most common challenge faced by domain owners while configuring and adopting SPF authentication protocol for their domain, is that SPF comes with a limit on the number of DNS lookups, which cannot exceed 10. For domains relying on multiple third-party vendors, the 10 DNS lookup limit exceeds easily which in turn breaks SPF and returns an SPF PermError. The receiving server in such cases automatically invalidates your SPF record and blocks it.

Mechanisms that initiate DNS lookups: MX, A, INCLUDE, REDIRECT modifier

2) SPF Void Lookup 

Void lookups refer to DNS lookups which either return NOERROR response or NXDOMAIN response (void answer). While implementing SPF it is recommended to ensure DNS lookups do not return a void answer in the first place.

3) SPF Recursive loop

This error indicates that the SPF record for your specified domain contains recursive issues with one or more of the INCLUDE mechanisms. This takes place when one of the domains specified in the INCLUDE tag contains a domain whose SPF record contains the INCLUDE tag of the original domain. This leads to a never-ending loop causing email servers to continuously perform DNS lookups for the SPF records. This ultimately leads to exceeding the 10 DNS lookup limit, resulting in emails failing SPF.

4) Syntax Errors 

An SPF record may exist in your domain’s DNS, but it is of no use if it contains syntax errors. If your SPF TXT record contains unnecessary white spaces while typing the domain name or mechanism name, the string preceding the extra space would be completely ignored by the receiving server while performing a lookup, thereby invalidating the SPF record.

5) Multiple SPF records for the same domain

A single domain can have only one SPF TXT entry in the DNS. If your domain contains more than one SPF record, the receiving server invalidates all of them, causing emails to fail SPF.

6) Length of the SPF record 

The maximum length of a SPF record in the DNS is limited to 255 characters. However, this limit can be exceeded and a TXT record for SPF can contain multiple strings concatenated together, but not beyond a limit of 512 characters, to fit the DNS query response. Though this was later revised, recipients relying on older DNS versions would not be able to validate emails sent from domains containing a lengthy SPF record.

Optimizing your SPF Record

In order to promptly modify your SPF record you can use the following SPF best practices:

  • Try typing down your email sources in decreasing order of importance from left to right in your SPF record
  • Remove obsolete email sources from your DNS
  • Use IP4/IP6 mechanisms instead of A and MX
  • Keep your number of INCLUDE mechanisms as low as possible and avoid nested includes
  • Do not publish more than one SPF record for the same domain in your DNS
  • Make sure your SPF record doesn’t contain any redundant white spaces or syntax errors

Note: SPF flattening is not recommended since it isn’t a one-time deal. If your email service provider changes their infrastructure, you’re going to have to change your SPF records accordingly, every single time.

Optimizing Your SPF Record Made Easy with PowerSPF

You can go ahead and try implementing all those above-mentioned modifications to optimize your SPF record manually, or you can forget the hassle and rely on our dynamic PowerSPF to do all that for you automatically! PowerSPF helps you optimize your SPF record with a single click, wherein you can:

  • Add or remove sending sources with ease
  • Update records easily without having to manually make changes to your DNS
  • Get an optimized auto SPF record with the single click of a button
  • Stay under the 10 DNS lookup limit at all time
  • Successfully mitigate PermError
  • Forget about SPF record syntax errors and configuration issues
  • We take away the burden of resolving SPF limitations on your behalf

Sign up with PowerDMARC today to bid adieu to SPF limitations forever!  

As a DMARC services provider, we get asked this question a lot: “If DMARC just uses SPF and DKIM authentication, why should we bother with DMARC? Isn’t that just unnecessary?”

On the surface it might seem to make little difference, but the reality is very different. DMARC isn’t just a combination of SPF and DKIM technologies, it’s an entirely new protocol by itself. It has several features that make it one of the most advanced email authentication standards in the world, and an absolute necessity for businesses.

But wait a minute. We’ve not answered exactly why you need DMARC. What does it offer that SPF and DKIM don’t? Well, that’s a rather long answer; too long for just one blog post. So let’s split it up and talk about SPF first. In case you’re not familiar with it, here’s a quick intro.

What is SPF?

SPF, or Sender Policy Framework, is an email authentication protocol that protects the email receiver from spoofed emails. It’s essentially a list of all IP addresses authorized to send email through your (the domain owner) channels. When the receiving server sees a message from your domain, it checks your SPF record that’s published on your DNS. If the sender’s IP is in this ‘list’, the email gets delivered. If not, the server rejects the email.

As you can see, SPF does a pretty good job keeping out a lot of unsavoury emails that could harm your device or compromise your organisation’s security systems. But SPF isn’t nearly as good as some people might think. That’s because it has some very major drawbacks. Let’s talk about some of these problems.

Limitations of SPF

SPF records don’t apply to the From address

Emails have multiple addresses to identify their sender: the From address that you normally see, and the Return Path address that’s hidden and require one or two clicks to view. With SPF enabled, the receiving email server looks at the Return Path and checks the SPF records of the domain from that address.

The problem here is that attackers can exploit this by using a fake domain in their Return Path address and a legitimate (or legitimate-looking) email address in the From section. Even if the receiver were to check the sender’s email ID, they’d see the From address first, and typically don’t bother to check the Return Path. In fact, most people aren’t even aware there is such a thing as Return Path address.

SPF can be quite easily circumvented by using this simple trick, and it leaves even domains secured with SPF largely vulnerable.

SPF records have a DNS lookup limit

SPF records contain a list of all the IP addresses authorized by the domain owner to send emails. However, they have a crucial drawback. The receiving server needs to check the record to see if the sender is authorized, and to reduce the load on the server, SPF records have a limit of 10 DNS lookups.

This means that if your organization uses multiple third party vendors who send emails through your domain, the SPF record can end up overshooting that limit. Unless properly optimized (which isn’t easy to do yourself), SPF records will have a very restrictive limit. When you exceed this limit, the SPF implementation is considered invalid and your email fails SPF. This could potentially harm your email delivery rates.

 

SPF doesn’t always work when the email is forwarded

SPF has another critical failure point that can harm your email deliverability. When you’ve implemented SPF on your domain and someone forwards your email, the forwarded email can get rejected due to your SPF policy.

That’s because the forwarded message has changed the email’s recipient, but the email sender’s address stays the same. This becomes a problem because the message contains the original sender’s From address but the receiving server is seeing a different IP. The IP address of the forwarding email server isn’t included within the SPF record of original sender’s domain. This could result in the email being rejected by the receiving server.

How does DMARC solve these issues?

DMARC uses a combination of SPF and DKIM to authenticate email. An email needs to pass either SPF or DKIM to pass DMARC and be delivered successfully. And it also adds one key feature that makes it far more effective than SPF or DKIM alone: Reporting.

With DMARC reporting, you get daily feedback on the status of your email channels. This includes information about your DMARC alignment, data on emails that failed authentication, and details about potential spoofing attempts.

If you’re wondering about what you can do to not get spoofed, check out our handy guide on the top 5 ways to avoid email spoofing.

As organisations set up charity funds around the world to fight Covid-19, a different sort of battle is being waged in the electronic conduits of the internet. Thousands of people around the world have fallen prey to email spoofing during the coronavirus pandemic. It’s become increasingly common to see cybercriminals use real domain names of these organisations in their emails to appear legitimate.

In the most recent high-profile coronavirus scam, an email supposedly from the World Health Organization (WHO) was sent around the world, requesting donations to the Solidarity Response Fund. The sender’s address was ‘[email protected]’, where ‘who.int’ is the real domain name for WHO. The email was confirmed to be a phishing scam, but at first glance, all signs pointed to the sender being genuine. After all, the domain belonged to the real WHO.

donate response fund

However, this has only been one in a growing series of phishing scams that use emails related to coronavirus to steal money and sensitive information from people. But if the sender is using a real domain name, how can we distinguish a legitimate email from a fake one? Why are cybercriminals so easily able to employ email domain spoofing on such a large organisation?

And how do entities like WHO find out when someone is using their domain to launch a phishing attack?

Email is the most widely used business communication tool in the world, yet it’s a completely open protocol. On its own, there’s very little to monitor who sends what emails and from which email address. This becomes a huge problem when attackers disguise themselves as a trusted brand or public figure, asking people to give them their money and personal information. In fact, over 90% of all company data breaches in recent years have involved email phishing in one form or the other. And email domain spoofing is one of the leading causes of it.

In an effort to secure email, protocols like Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) were developed. SPF cross-checks the sender’s IP address with an approved list of IP addresses, and DKIM uses an encrypted digital signature to protect emails. While these are both individually effective, they have their own set of flaws. DMARC, which was developed in 2012, is a protocol that uses both SPF and DKIM authentication to secure email, and has a mechanism that sends the domain owner a report whenever an email fails DMARC validation.

This means the domain owner is notified whenever an email sent by an unauthorised third party. And crucially, they can tell the email receiver how to handle unauthenticated mail: let it go to inbox, quarantine it, or reject it outright. In theory, this should stop bad email from flooding people’s inboxes and reduce the number of phishing attacks we face. So why doesn’t it?

Can DMARC Prevent Domain Spoofing?

Email authentication requires sender domains to publish their SPF, DKIM and DMARC records to DNS. According to a study, only 44.9% of Alexa top 1 million domains had a valid SPF record published in 2018, and as little as 5.1% had a valid DMARC record. And this is despite the fact that domains without DMARC authentication suffer from spoofing nearly four times as much as domains that are secured. There’s a lack of serious DMARC implementation across the business landscape, and it’s not gotten much better over the years. Even organisations like UNICEF have yet to implement DMARC with their domains, and the White House and US Department of Defense both have a DMARC policy of p = none, which means they’re not being enforced.

A survey conducted by experts at Virginia Tech has brought to light some of the most serious concerns cited by major companies and businesses that have yet to use DMARC authentication:

  1. Deployment Difficulties: The strict enforcement of security protocols often means a high level of coordination in large institutions, which they often don’t have the resources for. Beyond that, many organisations don’t have much control over their DNS, so publishing DMARC records becomes even more challenging.
  2. Benefits Not Outweighing the Costs: DMARC authentication typically has direct benefits to the recipient of the email rather than the domain owner. The lack of serious motivation to adopt the new protocol has kept many companies from incorporating DMARC into their systems.
  3. Risk of Breaking the Existing System: The relative newness of DMARC makes it more prone to improper implementation, which brings up the very real risk of legitimate emails not going through. Businesses that rely on email circulation can’t afford to have that happening, and so don’t bother adopting DMARC at all.

Recognising Why We Need DMARC

While the concerns expressed by businesses in the survey have obvious merit, it doesn’t make DMARC implementation any less imperative to email security. The longer businesses continue to function without a DMARC-authenticated domain, the more all of us expose ourselves to the very real danger of email phishing attacks. As the coronavirus email spoofing scams have taught us, no one is safe from being targeted or impersonated. Think of DMARC as a vaccine — as the number of people using it grows, the chances of catching an infection go down dramatically.

There are real, viable solutions to this problem that might overcome people’s concerns over DMARC adoption. Here are just a few that could boost implementation by a large margin:

  1. Reducing Friction in Implementation: The biggest hurdle standing in the way of a company adopting DMARC are the deployment costs associated with it. The economy is in doldrums and resources are scarce. Which is why PowerDMARC along with our industrial partners Global Cyber Alliance (GCA) are proud to announce a limited-time offer during the Covid-19 pandemic — 3 months of our full suite of apps, DMARC implementation and anti-spoofing services, completely free. Get your DMARC solution set up in minutes and start monitoring your emails using PowerDMARC now.
  2. Improving Perceived Usefulness: For DMARC to have a major impact on email security, it needs a critical mass of users to publish their SPF, DKIM and DMARC records. By rewarding DMARC-authenticated domains with a ’Trusted’ or ‘Verified’ icon (like with the promotion of HTTPS among websites), domain owners can be incentivised to get a positive reputation for their domain. Once this reaches a certain threshold, domains protected by DMARC will be viewed more favourably than ones that aren’t.
  3. Streamlined Deployment: By making it easier to deploy and configure anti-spoofing protocols, more domains will be agreeable to DMARC authentication. One way this could be done is by allowing the protocol to run in a ’Monitoring mode’, allowing email administrators to assess the impact it has on their systems before going for a full deployment.

Every new invention brings with it new challenges. Every new challenge forces us to find a new way to overcome it. DMARC has been around for some years now, yet phishing has existed for far longer. In recent weeks, the Covid-19 pandemic has only given it a new face. At PowerDMARC, we’re here to help you meet this new challenge head on. Sign up here for your 3-month PowerDMARC deployment for absolutely free, so that while you stay home safe from coronavirus, your domain is safe from email spoofing.