EMAIL-002 critical DNS Authentication
SPF configured
SPF records exist with authorized senders and hard fail (-all) or documented soft fail (~all)
Question to ask
"Could someone send email as [email protected] right now?"
Verification guide
Severity: Critical
SPF (Sender Policy Framework) declares which servers are authorized to send email for your domain. Without SPF, anyone can spoof emails from your domain.
Check automatically:
- Query SPF for each domain/subdomain that sends email:
# SPF is a TXT record
dig TXT example.com +short | grep -i "v=spf1"
dig TXT mail.example.com +short | grep -i "v=spf1"
dig TXT transactional.example.com +short | grep -i "v=spf1"
- With Cloudflare API:
# List TXT records and filter for SPF
curl -X GET "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records?type=TXT" \
-H "Authorization: Bearer $CF_API_TOKEN" | jq '.result[] | select(.content | contains("v=spf1"))'
- Analyze SPF record:
- Check for authorized senders (e.g.,
include:_spf.google.com,include:sendgrid.net) - Check enforcement level at the end (
-all,~all,+all)
Ask user:
- "Which subdomains send email?" (add to inventory)
- If
~all(soft fail) found: "Is this intentional? How long has soft fail been in place?"
Pass criteria:
- SPF record exists for each domain/subdomain that sends email
- Includes authorized senders matching actual email providers
- Ends with
-all(hard fail) or~all(soft fail)
Partial (acceptable):
~all(soft fail) is OK short-term during rollout - note duration and plan to move to-all
Fail criteria:
- No SPF record on a sending domain
- SPF ends with
+all(allows anyone to spoof - security hole) - Syntax errors in SPF record
Evidence to capture:
- SPF records per domain/subdomain
- Authorized senders identified
- Enforcement level (
-allvs~all) - Duration if soft fail (and plan to harden)