Sender Policy Framework (SPF) may sound like technical Jargon and it is, but it’s important that you understand what it is and how it can help protect your business from serious security issues. Without an SPF record, it’s possible for anyone in the world to send emails from your email address!
SPF Records: The Why, What and How Explained...
What is an SPF Record?
SPF (Sender Policy Framework), is a record which lets your tell the world who can send emails from your domain. It gives the recipient a means to identify that the email has come from the address it pertains to be from.
Why is this a problem?
At first glance it’s clearly not ideal that this is possible, people could pretend to be you and spam your clients or the rest of the world resulting in your email address or entire domain becoming black listed. But the problem can be far worse. Imagine one of your clients received an email from you saying that you’ve changed your bank account and would like all payments to go to a new bank account using the details you’ve provided. How can they be sure that this email is from you? You would hope that they’d phone you to confirm but they may not and they’d happily start sending your money to this new account. Without an SPF record anyone could send this email and trick your contacts into sending them money.
Why is this possible?
Current email systems are, in essence built on a system that was first conceived in 1982, back then the world was a very different place, CD’s had just been invented, Knight Rider was on TV, Channel 4 launched and the Atari was a sophisticated gaming machine! The Internet was in its infancy and using the Internet for hacking and malicious intent hadn’t crossed anyone’s minds. So the underlying system wasn’t designed with many safeguards and it was and still is possible to send emails from any address you wish.
How do we stop this?
Fortunately in the early part of this century a proposal was made for the standard which is now known as SPF. It’s a policy which defines who can send emails from your domain (eg. datek.co.uk), when an email system receives an email it will check the SPF record to confirm that you are on this list and will permit the email to be delivered, if the SPF check fails then the email should not be delivered. If it passes the check, it proves the email was from your system and will be allowed through. This is a very simple mechanism and it is extremely easy to setup but we keep finding lots of businesses that aren’t using this simple but effective security measure.
What if you need other companies to send emails on your behalf?
Many businesses work with 3rd parties who need to send emails as if they were from the business, such as external marketing companies who may send out marketing emails from your address or CRM systems which send notifications out to your customers on your behalf. If this is the case, it’s important that the SPF record includes these systems to prevent these emails from failing the SPF checks and consequently not being delivered. To do this your IT Company will need to speak to your 3rd party provider to obtain details about such systems and add them into the SPF record, this is a straight forward process and many such 3rd parties will have documents readily available with this information in ready to send out to you.
This is just one of the many ways in which your email systems can be secured, if you’d like our help with this please call one of our specialists today.