SPF: What it is and how it can save your company
Have you ever wondered how spam e-mails often come from trusted domains? You may receive an e-mail from a bank, only to find that it really came from some opportunist in Nigeria! This is thanks to a lack of SPF!
You might also think that the Nigerians used some advanced hacking skills, but that’s also not true! The fault actually lies completely with the institution that they are pretending to be!
What is SPF?
Domain owners can choose who may send e-mails using their domain name. To explain how SPF works, it is first important to understand what shortcomings there are in sending e-mails. We can use a letter sent via the postal service, as an example.
In this case, party A wrote a letter and signed their address on the back of the envelope. They also signed Party B’s (the receiver’s address) on the front of the envelope. The postal service would then take the envelope and deliver it to party B. Party B will simply assume that is is from party A. And in this assumption lies the problem!
Imagine that party A was a “bank”, notifying one of its clients that an account is overdue. They could claim that they need to pay the account using the details given in the letter. The receiver would then receive the letter, but would have no idea if the letter is legitimate. This is what happens when SPF isn’t used when letters are sent.
So now the question is: How could party B know for sure that party A really sent the message (and that they are who they say they are)?
How SPF Proves Identity
Well surely the post office can help with this! Now, the real bank can prevent this by simply giving the post office a list of their real addresses. When a letter gets picked up, the post office can warn the receiver if it wasn’t picked up from one of the senders’ real addresses.
This is essentially what SPF does.
The sender would give a mail to its own server to send. If they use Gmail, this would be Gmail’s server, for example. The sender can, using their e-mail client, simply put in the e-mail address and name that they would like the e-mail to appear to be from. Server A would then search for the server that would deliver the mail to the final recipient. In this case, Server B would then accept the mail and add A’s details to it. Server B can then see if Server A is allowed to send mail on the domain’s behalf. If not, Server B will simply destroy the e-mail, or put it in its user’s inbox, based on the result. Here, the SPF is the claimed sender’s website’s record.
So what if I don’t have SPF set up?
Let’s say that Server B receives the mail, checks with the website, but doesn’t find a SPF record to reference. This is essentially a big problem, because now the server either has to either delete or deliver the mail by default (and the receiver could either receive a fake mail or lose a real one).
This could mean that your competitors could essentially send out mail, on your behalf, without your permission. It could also leave the door open for a scammer to mail to your clients about a bank account details change (that only they know about).
This is why it is so vital to ensure that you do have SPF set up for your company’s domain. Either check with your website’s host or contact ITFirst, and we can do it for you! Doing this 1 simple thing today could, as you can imagine, make a big impact tomorrow!