Have you ever received a bounce back for an email that you never sent and wonder how that happened? When it comes to email governance, one area that has little to no restrictions is what someone puts in the “From” address. Yup, that’s right – I can craft an email to someone with your email address. Maybe I want to send an email from the CEO to the accounting department to request they adjust my salary? Unfortunately many email servers or SPAM solutions are not setup properly to defend against this. On the flip side, many are but sending domains are not setup to follow the standards created to prevent this type of spoofing and legitimate emails do not reach their destination.
As stated above, there are two sides to this equation – the sending and receiving sides. In this post, we are going to focus on the sender and how to ensure your emails get to their destination by using SPF records. SPF or Sender Policy Framework was designed to prevent others from sending emails “From” you. This is one of the methods (but not the only one) developed to prevent email spoofing. The way this works is by performing DNS lookups against your domain. The theory is that only the owner of a domain can create DNS records for that domain. So, if those records designate which addresses are allowed to send emails on its behalf, that mail should be trusted.
When creating SPF records, you need to take into account anyone that is sending mail on your behalf and make sure the addresses of those services are included in your SPF record. This could be your internal email servers, a hosted email service such as Microsoft Office 365 or a hosted SPAM solution such as Barracuda. These services will usually provide you with the proper address and syntax to include in your SPF record. If you have multiple services sending on your behalf, this could complicate the creation of the record so it is recommended to use an online SPF generator, such as SPF Wizard, that will ask you questions and build the proper text string for you.
If you find that you are receiving bounce back messages for recipients you actually intended to send to, chances are they are enforcing SPF lookups and your SPF records are not setup properly.
If you are unsure of how to setup these records or need assistance implementing a SPAM solution that can prevent email spoofing, please contact us.
Stay tuned for Part II of this series where we discuss how PTR records are used to prevent SPAM and spoofing.
By Steven Stein, Director, Client Services