SPF Records for Email
One DNS record to add for email security (more in other posts)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: Google Security | AWS Security | DNS Security
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the last post I showed you how to manually set up DNSSEC on domains in AWS to help prevent domain spoofing.
In this post I’ll show you how to add an SPF record to your DNS records to help secure email. But we’re not done. SPF alone is not really good enough. I have more posts on this topic to follow so implement this record and stay tuned or the rest.
Set up an SPF record on your domain
SPF records have been around a long time. You need to find out what your SPF record needs to be from your email hosting provider typically. If multiple systems and providers are allowed to send email from your domain then things get a bit more complicated.
I would like to link to the page where I got this but it’s behind a login. You can search for “google spf” in Google.
The SPF record in case you use Google and want to copy it:
v=spf1 include:_spf.google.com ~allJust like in the last post we need to add a record in our DNS zone. We’ll choose the type TXT, the value shown above and we can set the TTL to 3600 as shown.
Be aware that if you use third-party services to send email from your domain things get a bit more complicated. Search for “Google Define your SPF record” to find this information.
If you want to allow AWS ses you might need to add something like this — but check the documentation because I haven’t looked at this in a while.
v=spf1 include:_spf.google.com include:amazonses.com ~allAlso a note on ~all and -all. This (~all) means soft fail and a dash (-all) means hard fail. Hard fail sound better but you need to test it out to make sure it doesn’t cause legitimate email to fail. See the reference at the bottom of this post. Why all systems don’t handle this properly is a question for those that don’t.
In order to add an SPF record to your domain on AWS, login and head over to the Route 53 dashboard.
Click on the hosted zone for the domain you want to update.
Add a record matching the values to the Google instructions:
But wait… I tested the above record created to match Google’s instructions and did not work. I tried mxtoolbox.com and the SPF record checker from Mimecast.com
They both said I didn’t have an SPF record until I removed the @ symbol. Is that an AWS DNS issue or a Google documentation issue? Not sure. Also not sure why AWS insists on adding quotes to my SPF record. Not sure if those should be there but once I removed the @ symbol the SPF record worked.
Note that because I’m old-school I created an SPF type record instead of a TXT type record initially. SPF records were added to domains in the past but that has changed. Now systems use text record for this purpose. See the reference at the bottom of this post.
It is worth noting that, at one point, SPF records had a dedicated DNS record type. The dedicated record type has since been deprecated and only TXT records are to be used.
https://www.cloudflare.com/learning/dns/dns-records/dns-spf-record/
That’s why when you see the SPF option in the AWS drop down it says not recommended. This is confusing and I wish they would just remove it since it’s no longer supposed to be used, or give people a big warning with a link to information explaining that it has been deprecated.
OK add that to all your domains now and check back tomorrow for more information on how you can further secure your email using hosted zones on AWS Route 53.
References:
In the next post I add DKIM for additional email security.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
