How to stop spam, part II: Prevent spoofing with SPF
Many of us know malicious email when we see it… or so we think.
Then, one day, you receive a strange email from a friend asking you send 1,000 dollars to help get them back into the country. Or maybe it’s from one of your vendors, sending you an invoice in a strange file format. Or maybe it’s from one of your cloud app providers, asking you to reset your password.
In all cases, it seems suspicious at first glance. But the email address is indeed a trusted source… there’s no way it’s phishing, is it?
“Phishing” is when the bad guys masquerade as someone trustworthy. In the past, they’d blast phony emails from the IRS or FedEx. Today, they’ve gotten smarter. They choose their targets carefully. And they design their emails to look as though they came from a trustworthy source.
An email protection service safeguards you and your users in case you click a malicious link. But what’s to stop a spammer from sending out fake emails to YOUR customers that look like they’re from YOUR company?
If you’re an IT administrator, you need to read this. If you’re not an IT administrator, you need to send this to him or her right away.
Strategy #2: Use SPF to avoid spoofing
A “sender policy framework” (or SPF, for short) effectively creates a white list of servers that are allowed to send mail on behalf of your domain name.
Here’s why this is important. It’s actually pretty easy for a spammer to make email look like it’s from @intermedia.net, or @whitehouse.gov, or any other domain. (My colleague Dave tells me he used this trick in college—back before SPF was common—to convince his brother that he was getting emails from Bill Clinton.)
SPF was built to stop this trick. Whenever you receive an email from @intermedia.net, the SPF record allows your server to confirm which servers we’ve allowed to send mail on our behalf. If the email is sent from a server we didn’t explicitly flag as trustworthy, it won’t be delivered.
The SPF protocol has become one of the standard methods for fighting spam. What’s more, emails sent from domains WITHOUT an SPF address are increasingly being flagged as spam. So to protect your customers as well as to ensure you aren’t falsely blacklisted, we STRONGLY recommend setting up an SPF.
Here’s an article that describes how to SPF records for hosted Exchange.