Welivesecurity.com provides an excellent explainer on the nuances of the Sender Policy Framework (SPF) and how poor implementation can leave domains vulnerable to exploits. They cite a 2022 study that indicates 32% of the 1.5 billion domains registered have active SPF records applied, but 7.7% of these had records with improper syntax and 1% were using a deprecated PTR record.
However, as they note, SPF records are effectively useless if they are overly permissive of IP addresses and servers they check. One spam email received by the author provided a case study in such a phenomenon; when he checked the spoofed email’s SPF record, it was discovered to have been set to permit 178.33.104.0/2, which permits all IPv4 addresses between 128.0.0.0 to 191.255.255.255 — approximately 25% of all IPv4 addresses in existence! The author cites another domain that configured to permit 0.0.0.0, which is every IPv4 address. Both domains were notified of their misconfigured SPF records.
Any domain that is connected to an email server for sending mail via SMTP should have an SPF record applied. Several email providers, namely Google and Microsoft, require it now in order to receive mail. As indicated, it also cuts down on spoofing that can potentially harm your organization’s reputation. It’s worth checking the SPF configuration of any domains that you manage to ensure that they are set properly and kept as restricted as possible to prevent spoofing.
