Email Account Threats

The Next Evolution of Sender Policy Framework: Hosted SPF

Sender Policy Framework or SPF for short, first originated two decades ago to prevent scammers from sending messages from a spoofed domain. By allowing organizations to specify the mail servers that are authorized to send out emails from their domain, SPF provides a layer of protection against domain impersonation and reduces the chance of valid emails being redirected to spam folders.

Traditional SPF is still widely used, and it’s a critical component of determining DMARC compliance. But in the world of technology, twenty years is a lifetime ago. And with the rapid migration to the cloud, the traditional approach to SPF is now insufficient.

To start, the current process of manually adding IP addresses to a DNS record is ripe for human error. Breaking an SPF record could ultimately lead to legitimate emails being rejected by DMARC-enabled recipients. And once you add in the infrastructure to support a large number of software-as-a-service providers, managing an SPF record correctly can be quite daunting.

SPF for the future: Hosted SPF

Overcoming the above limitations, as well as the 10 SPF DNS lookup limit, requires a macro-based environment. But implementing and maintaining a macro-based SPF solution isn’t for the faint of heart. It’s probably best to find a Hosted SPF solution that’s based on macros. However, we’ve seen that not all approaches are equal.

Here are some key items to keep in mind as you plan your SPF approach for the future:

  • Data ownership at termination. This is a major consideration. As with any hosted SPF solution, it’s critical to understand how easy it would be to migrate to another solution in the future if needed. Not all vendors are willing to provide the information you need, as they will try to lock you into their solution.
  • Protection of IP information. You want to make sure that outsiders can’t view your IP list. We call this “security through obscurity,” and it helps prevent attackers from using your IP information against you.
  • Redundancy and uptime. Using a solution that has multiple GEO locations will help provide DNS redundancy. Also, having 24/7/365 proactive monitoring is a must to ensure business continuity.
  • Human error. We touched on human error being a concern with traditional SPF. So, when selecting a hosted SPF alternative, you’ll want to find a solution that automates these updates and refreshes the data frequently to ensure it’s current. This is especially true in larger environments where the parent domain will inherit errors introduced at the child level.

And finally, from an auditing perspective, you will want to make sure you can track and annotate changes that occur over time.

Partnering for success

Understanding how well a hosted SPF solution provider can addresses the considerations above can help in choosing a vendor— if you decide to work with one. Make sure to identify a partner committed to making your SPF journey, as well as your larger email authentication journey, successful. Your partner will need to have the resources and expertise to help guide you on what you should do when planning your SPF approach for the future — and the experience to know what you shouldn’t!

Learn more

Hosted SPF is now a standard feature of Proofpoint Email Fraud Defense, helping you simplify your DMARC journey and better protect against email identity deception. Learn how to take advantage of Hosted SPF within EFD.

For more information regarding Hosted SPF or email authentication, please contact your Proofpoint account team to discuss how Proofpoint can help improve your security posture by simplifying your DMARC journey. 

Subscribe to the Proofpoint Blog