If you’ve never heard of SPF (Sender Policy Framework), don’t worry, you’re probably not an email administrator. SPF was designed as an addition to the email system to prevent sender spoofing. In other words, allowing someone else to send an email pretending they are you.
As you can imagine, spammers don’t tend to use their real email addresses when informing you of their latest and greatest. They use other innocent people’s email addresses so that when the message bounces or fails (which often happens) then bounce comes back to…. you guessed it, you and not the spammer.
I only post this message today because one of our infrequently used domains has been used in such a manner this morning. I am getting a lot of bounces from russian email addresses informing me that my message has failed and I should retry / give up etc etc.. Mea culpa, I forgot to put an SPF record on that particular domain.
To clarify, SPF is a DNS record published by (in this case) my domain which informs any system that cares to look, which IP address is allowed to send mail on behalf of that domain. There are various levels of strictness Â (have a look at the openspf wizard) but it basically boils down to that. A receiving email server can check this record, and if itÂ doesn’tÂ match what my DNS says, it can reject the email or do one of many locally set rules that the email administrator chooses.
Of course I’ve added this SPF record to this particular domain so let’s see how quickly it resolves.
Why is this on a social engineering blog? Well, if you correspond with people mainly via email then email is your reputation. Your email and / or domain can easily be blacklisted and through no fault of your own that reputation is tarnished. As our own customers sometimes find out
Of course, SPF is no magic bullet but it can help against random bot spoofing. There are other technologies such as DKIM and DomainKeys but these are harder for the general public to implement and are less common at this moment in time.