Missing SPF record: Vulnerability Or Not ?
Sunday, April 17, 2016
By
Jitendra
0
comments
Hi Followers ,
First of all sorry for the delay in the new post.
So this post is about SPF(Sender Policy Framework) record I am writing this post because many bug hunter thinks this a simple and common vulnerability. But as my perspective this is not a security issue at all.
Many security researchers who want to make easy money by doing bug hunting reports this first to any website which have a bug bounty program and in 1 or 2 hour there will be about 30-40 reports which are about the SPF records.
What are SPF records ?
So basically Sender Policy Framework records are used when you want to allow some third party service to send emails on behalf of your domain. The purpose of adding these records to prevent malicious users from sending the forged email from your domain.
But there is an exception only SPF records cant prevent malicious users from sending the email from your domain but you also have to add DMARC record. I have written a Post about this and you can find it Here.
The SPF record of a domain looks like this one
v=spf1 include:_spf.google.com ~all
Here there are two syntax of defining all one is
1. ~all: It is used for softfail
2. -all: It is used for hardfail
So basically checking of SPF record is MTA in-exclusive if there is no SPF record it checks the MX record of the domain. As I also stated above that they are only necessary if you want to allow a third party service to send emails on behalf of your domain.
And if you are not using any third party service then you don't have to add the SPF records.
Missing SPF records doesn't pose a security risk at all.
However to prevent the spamming from a particular domain you also have to define the DMARC records.
DMARC records dictates the mail policy of any domain mainly if the DMARC records are added then you can say that the SPF records will have those domain which will be used for sending the emails on the behalf of that domain and if someone tries to spoof the email from a third party service which is not defined in the SPF record the mail will be rejected or will be marked as spam by the mail servers
Hope this post helped you.
If you have any suggestion that how can we make this blog more interesting or you have question about this post then feel free to comment.
Cheers
Jitendra (Team Computer Korner)
Feel Free To Leave A Comment
If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
However to prevent the spamming from a particular domain you also have to define the DMARC records.
DMARC records dictates the mail policy of any domain mainly if the DMARC records are added then you can say that the SPF records will have those domain which will be used for sending the emails on the behalf of that domain and if someone tries to spoof the email from a third party service which is not defined in the SPF record the mail will be rejected or will be marked as spam by the mail servers
Hope this post helped you.
If you have any suggestion that how can we make this blog more interesting or you have question about this post then feel free to comment.
Cheers
Jitendra (Team Computer Korner)
0 comments: