***Your Domain name can be used to SPOOF emails to anyone.***
Financial institutions should be concerned with security. Now I must ask, do the people / third parties you hire to control your email really know what’s going on? I own a shirt that says “The Internet is NOT your friend” for a very specific reason -- the Internet is a hostile place.
Every few weeks I come across a Client that has a misconfigured mail server and can’t send us email. Plansmith cares about security so we reject the connection - and rightfully so. This article is my attempt to open your eyes and help you secure your systems because out of the 7,058 financial domain names I quickly tested, 5,600 are improperly configured or missing a SPF record all together. That’s a lot! It’s a terrifying amount.
This means BAD people can send emails using your domain name from their servers and other mail servers will accept them. This could ruin your reputation.
Example: Spammer/Malicious person uses gmail.com, Hotmail.com, or yahoo.com to email anyone using yourname@yourbank.com. This isn’t hard to do because they don’t require access to “your” servers. The spammer/malicious user is emailing direct to the world from a mail server they own or relay from. Without a properly configured SPF record, all servers will accept the email because it's told to.
The Data:
| Queried Domains | = 7,058 |
| Returned SPF record | = 5,298 |
| Returned the SECURE -all | = 1,458 |
| Returned insecure ~all | = 1,920 |
| Returned insecure ?all | = 461 |
| Returned incorrect format | = 1,459 |
Legend:
-all =fail - reject – This is GOOD! It tells a mail server receiving msgs with your domain name to only allow email from the SPF listed servers (I believe people are confused by this because it says fail. Fail in this case is GOOD.).
~all = soft fail - accept but mark – This is BAD! It says we can accept the email from any server using your domain name.
?all = Neutral - accept – This is BAD! It says accept the email from any server using your domain name.
How I tested:
I gathered the domain names from email addresses in our Internal CRM. I removed duplicate domain names. Used “dig” to batch query DNS for txt, output the response, tallied them.
So what should you do now? Show your ADMIN! Insist on them using -all. Lots of you are using a third-party to host email and include a “refer” tag; insist they also use -all.
Please test your own domain:
MXtoolbox – SPF check - Just replace Plansmith.com with your domain name. MXtoolbox might mislead you at first because the bar is green. You must look and make sure your SPFs say “ -all” at the end. If you see “ ~all” or “ ?all” or “ all”, you domain name is insecure.
Good Example= "v=spf1 ip4:199.15.128.0/27 ip4:216.145.231.128/27 -all"
If you see results like this: “"v=spf1 redirect=_spf.google.com", replace Plansmith.com with _spf.google.com and again look for -all.
For Admins:
Common mistakes when writing SPF records = openspf.org
People list inbound servers. This isn’t needed unless its also your outbound SMTP server.
Another common mistake people make when setting up mail servers is the Reverse DNS lookup doesn’t match the forward lookup. The outbound mail server, the one sending the mail, needs to match.
Correct Example:
nslookup 199.15.128.25
returns mail.plansmith.com
nslookup mail.plansmith.com
returns 199.15.128.25
More mistakes…
FQDN “Fully Qualified Domain Names” in-arpa for a mail server should NEVER just be plansmith.com. A correct FQDN would be mail.plansmith.com.
I emailed MXtoolbox last year because I found they didn’t correctly catch a few things after a Bank insisted they were setup ok. MXtoolbox’s old results were their argument on why I was wrong. MXtoolbox, of course, agreed with me. Per an email from“Peter LeBlond” of MXtoolbox, MXtoolbox now shows all NON FQDN as a warning (I’ve tested said bank and the toolbox change is live). The Bank is still set up incorrectly to this day.
**Above, in my example of gmail.com, Hotmail.com, & yahoo.com, you will notice spoofed email from these addresses is allowed because they too use ~all instead of -all. If your SPF record is incorrectly configured, criminals will exploit you. Please stop your domain name from spamming us with malicious PDFs, docs, and exes unknowingly! Some LARGE banks and data processor domains are regularly in our Virus list. Thank You.
About:
Christopher D. Hartman is Plansmith's VP & CTO. He has over 20 years of experience.
To contact Christopher directly, email: chrisBlogSPF@plansmith.com