Email Adventures: Setting up an SPF Record to Combat Domain Spoofing

Our domain got spoofed. The first indication was a ton of auto-responders in the past week that all got delivered to our catch-all email account. Most of these auto-responders were supposedly in response to our emails. But looking at the message header revealed a ton of emails with our domain name but unknown user names. TerimaddoxSilver@appropriateit.org, JennaeconometricGalindo@appropriateit.org, HenriettasuperstitiousLin@appropriateit.org, and so on and so forth. This is just a sample. We had 70+ such unknown users on one single day.

Setting up a Sender Policy Framework (SPF) record is one way to prevent domain spoofing.

To quote from DreamHost’s wiki page on SPF:

SPF, or Sender Policy Framework (aka Sender ID), fights return-path address forgery and makes it easier to identify spoofed e-mails. This is because domain owners identify all mail servers that send e-mail on their behalf within their DNS entries. Mail servers that receive SMTP e-mail verify the envelope sender address against the information in DNS, and thus can distinguish between authentic messages and forgeries before any message data is transmitted.

You can find more information about SPF at OpenSPF.org.

SPF configuration is a three-step process. First, you have to get the SPF value from your email host. Then, you have to set it up as a DNS entry in your domain host. Finally, you have to test to ensure that everything is working as it should. Here is our step-by-step guide for setting up SPF record in case it might help someone looking for information on how to do it for their own domains:

  1. Our first stop was our email host Gmail, who provided the SPF value on a help page. If you host your own mail, have multiple sub domains, or have other complications and need help creating the SPF value, the SPF Setup Wizard will come in handy.
  2. Next step was to setup the SPF record on DreamHost, our domain host. As any good host would, DreamHost had a wiki page that walked us through the steps of how to add a TXT record to our DNS. Your own host should have this information readily available in their help section. If not, ask them for it.
  3. Validated our SPF record using a testing tool from Scott Kitterman. Ensured that our email messages are carrying the right SPF information and are being delivered correctly by sending test emails to spf-test@openspf.org and check-auth@verifier.port25.com. We obtained these from OpenSPF.org’s tools page.

That (hopefully) brings us to the end of the domain spoofing email adventure chapter. However, it is just a matter of time before spammers find newer ways to harass users which will force us to embark on other similar adventures. Such are the drawbacks of technology that progresses by leaps and bounds.

Tags:
Categories: research, resources

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Featured Posts
  • Krishi Janani: Stepping Out Into the Great Unknown

    Krishi Janani: Ag Tech Network

    So…Appropriate IT is working on a new sustainable agriculture technology platform – Krishi Janani. We have been at it for a while now, launching a partially working prototype earlier this year. Before I go into the ‘Great Unknown’ parts of the story, a quick summary:

    Krishi Janani is an ag tech network (online platform + young women-led rural ag tech centers) enabling organic and sustainable

  • Pay It Forward: A Training in Namakkal

    Namakkal Training 6

    A three day technology training in building websites with WordPress at PGP college in Namakkal, Tamil Nadu

    By Alexandra de Vogel, Assistant Trainer

    With a background in Industrial design and innovation management, being part of this training was a first experience for me. But now I know that it will definitely not be my last experience in this field. These three days in Namakkal

  • Learning is a Mindset

    AIDA Inauguration 5

    (Guest blog by Heather A. Moore)

    Usha recently invited me to share some words of advice with the inspiring young women that had recently graduated from the pilot program of AIDA, Appropriate IT’s Development Academy, and with those from the community. Having gathered some sage advice from a few wise and generous mentors throughout my career, as well as the hard earned wisdom that comes

Archive