Plansmith Blog

Your Email is Putting Your Bank at Risk

Posted by Christopher Hartman on 2/3/16 1:00 PM

***Your Domain name can be used to SPOOF emails to anyone.***

Financial institutions should be concerned with security. Now I must ask, do the people / third parties you hire to control your email really know what’s going on? I own a shirt that says “The Internet is NOT your friend” for a very specific reason -- the Internet is a hostile place.

Every few weeks I come across a Client that has a misconfigured mail server and can’t send us email. Plansmith cares about security so we reject the connection - and rightfully so. This article is my attempt to open your eyes and help you secure your systems because out of the 7,058 financial domain names I quickly tested, 5,600 are improperly configured or missing a SPF record all together. That’s a lot! It’s a terrifying amount.

This means BAD people can send emails using your domain name from their servers and other mail servers will accept them. This could ruin your reputation.

Example: Spammer/Malicious person uses,, or to email anyone using This isn’t hard to do because they don’t require access to “your” servers. The spammer/malicious user is emailing direct to the world from a mail server they own or relay from. Without a properly configured SPF record, all servers will accept the email because it's told to.


The Data:

Queried Domains = 7,058
Returned SPF record = 5,298
Returned the SECURE -all = 1,458
Returned insecure ~all = 1,920
Returned insecure ?all = 461
Returned incorrect format = 1,459



-all =fail - reject – This is GOOD! It tells a mail server receiving msgs with your domain name to only allow email from the SPF listed servers (I believe people are confused by this because it says fail. Fail in this case is GOOD.).

~all = soft fail - accept but mark – This is BAD! It says we can accept the email from any server using your domain name.

?all = Neutral - accept – This is BAD! It says accept the email from any server using your domain name.


How I tested:

I gathered the domain names from email addresses in our Internal CRM. I removed duplicate domain names. Used “dig” to batch query DNS for txt, output the response, tallied them.

So what should you do now? Show your ADMIN! Insist on them using -all. Lots of you are using a third-party to host email and include a “refer” tag; insist they also use -all.


Please test your own domain:

MXtoolbox – SPF check - Just replace with your domain name. MXtoolbox might mislead you at first because the bar is green. You must look and make sure your SPFs say “ -all” at the end. If you see “ ~all” or “ ?all” or “ all”, you domain name is insecure.

Good Example=   "v=spf1 ip4: ip4: -all"

If you see results like this: “"v=spf1", replace with and again look for -all.

For Admins:

Common mistakes when writing SPF records =

People list inbound servers. This isn’t needed unless its also your outbound SMTP server.

Another common mistake people make when setting up mail servers is the Reverse DNS lookup doesn’t match the forward lookup. The outbound mail server, the one sending the mail, needs to match.

Correct Example:






More mistakes…

FQDN “Fully Qualified Domain Names” in-arpa for a mail server should NEVER just be A correct FQDN would be

I emailed MXtoolbox last year because I found they didn’t correctly catch a few things after a Bank insisted they were setup ok. MXtoolbox’s old results were their argument on why I was wrong. MXtoolbox, of course, agreed with me. Per an email from“Peter LeBlond” of MXtoolbox, MXtoolbox now shows all NON FQDN as a warning (I’ve tested said bank and the toolbox change is live). The Bank is still set up incorrectly to this day.

**Above, in my example of,, &, you will notice spoofed email from these addresses is allowed because they too use ~all instead of -all. If your SPF record is incorrectly configured, criminals will exploit you. Please stop your domain name from spamming us with malicious PDFs, docs, and exes unknowingly! Some LARGE banks and data processor domains are regularly in our Virus list. Thank You.



Christopher D. Hartman is Plansmith's VP & CTO. He has over 20 years of experience.

To contact Christopher directly, email:

Topics: community bank budget software, fintech

Subscribe Now!

Posts by Tag

See all

Recent Posts