Email Adventures: Setting up an SPF Record to Combat Domain Spoofing

NetSquared
See all of NetSquared's blog posts

Our domain got spoofed. The first indication was a ton of auto-responders in the past week that all got delivered to our catch-all email account. Most of these auto-responders were supposedly in response to our emails. But looking at the message header revealed a ton of emails with our domain name but unknown user names. TerimaddoxSilver@appropriateit.org, JennaeconometricGalindo@appropriateit.org, HenriettasuperstitiousLin@appropriateit.org, and so on and so forth. This is just a sample. We had 70+ such unknown users on one single day.

Setting up a Sender Policy Framework (SPF) record is one way to prevent domain spoofing.

To quote from DreamHost's wiki page on SPF:

SPF, or Sender Policy Framework (aka Sender ID), fights return-path address forgery and makes it easier to identify spoofed e-mails. This is because domain owners identify all mail servers that send e-mail on their behalf within their DNS entries. Mail servers that receive SMTP e-mail verify the envelope sender address against the information in DNS, and thus can distinguish between authentic messages and forgeries before any message data is transmitted.

You can find more information about SPF at OpenSPF.org.

SPF configuration is a three-step process. First, you have to get the SPF value from your email host. Then, you have to set it up as a DNS entry in your domain host. Finally, you have to test to ensure that everything is working as it should. Here is our step-by-step guide for setting up SPF record in case it might help someone looking for information on how to do it for their own domains:

  1. Our first stop was our email host Gmail, who provided the SPF value on a help page. If you host your own mail, have multiple sub domains, or have other complications and need help creating the SPF value, the SPF Setup Wizard will come in handy.
  2. Next step was to setup the SPF record on DreamHost, our domain host. As any good host would, DreamHost had a wiki page that walked us through the steps of how to add a TXT record to our DNS. Your own host should have this information readily available in their help section. If not, ask them for it.
  3. Validated our SPF record using a testing tool from Scott Kitterman. Ensured that our email messages are carrying the right SPF information and are being delivered correctly by sending test emails to spf-test@openspf.org and check-auth@verifier.port25.com. We obtained these from OpenSPF.org's tools page.

That (hopefully) brings us to the end of the domain spoofing email adventure chapter. However, it is just a matter of time before spammers find newer ways to harass users which will force us to embark on other similar adventures. Such are the drawbacks of technology that progresses by leaps and bounds.

Cross-posted from Appropriate IT's blog.