One common service request type that our team hears regularly from our customers involves email delivery. Customers report receipt of unsolicited mail from their own domain, or they report that their outgoing mails to external recipients aren't successfully received, or their mails go to the recipients' junk mail folder. And there's a simple fix that helps address both scenarios most of the time.
The first situation revolves around domain spoofing. In this scenario a disreputable sender composes emails with your email address or domain in the outbound messaging to deliver their content, either spam or malware. Sometimes this email can be directed to your domain email community, but it can also be directed to the wider Internet community.
The second situation involves improving delivery of your emails to intended recipients, where the receiving parties flag your legitimate mails as spam or junk mail. Their mail system's confidence in the authenticity of your message is low, so either a server-end or a client-side application or filtering tool marks up the message as possible or likely unsolicited and the message is either quarantined, rejected, or routed to a junk mail folder.
How do we address this and what tools are available to cure these symptoms?
Simply described, we start with an implementation of the Sender Protection Framework for their domain. Sounds easy, right?
The SPF record methodology integrates records that are published in your domain's DNS zone files that can be read by internet connected devices and applications. You update the records in a secure manner, but the items can be read by anyone on the internet. This works the same way that published records in DNS zones tell computers where your website is hosted, but in an SPF record, the zone file information describes who you have authorized to send email using your domain names. The SPF record format is entered as a TXT file type.
If your email domain is fully hosted in Microsoft's Office 365 service, your SPF TXT record would resemble, without quotes: "v=spf1 include:spf.protection.outlook.com -all"
To set your SPF record in your Domain DNS zone, include the records specific to your environment in the DNS record. If you use an on premises mail server, if you deliver mail messages from scanners or multifunction printers in your offices, or if you utilize email marketing services that send as your domain, your SPF record will contain different and additional values than the example above. Common SPF record contents can be published lists, IP Addresses, hostnames, and MX Record values, all describing in very simple form what systems you are authorizing as valid senders of mail for your domain.
How does this work?
Systems that receive email perform a common DNS lookup on mail received. This DNS lookup compares information in the SPF text record against the sender address and IP information.
- If there is no no SPF record, the receiving system is left to perform it's configuration based on their preferences, and usually this results in a lower confidence rating.
- If there is an SPF record for the domain published, and if the sending system is not included in the SPF record, then the receiving system can use this information to perform filtering or markup the message for the recipient as it is likely spam or junk mail.
- This addresses scenario one, where mails sent using your own domain email address don't match the authorized systems in your SPF records, your mail system can outright reject these mails as the SPF failed.
- If there is an SPF record published for the domain and if the sending system matches the SPF record, then the email message confidence is increased and is less likely to be flagged as junk mail.
- This addresses scenario two, where mails sent using your email domain can be verified by your recipients' systems and increase their confidence that your mails are legitimate.
There are additional email assurance configuration items that can be set up with additional investment, but starting with an SPF is quick and straightforward and results are nearly immediately realized.
If you have any questions about SPF records or would like assistance, reach out to us.