- 2024
- Feb
- 4
Multiple email SPF records? Yeah, go away kid, we don’t care.
I’ve written about email security and having the proper records set in the past, but last week I ran across probably one of the most interesting (and really bad) ones to date.
I use an email service that I pay for, simply because I like having my own domain name - as you can probably tell by the links that pepper my posts, and the fact that you’re reading this on Wereboar.
Sunday, I (was supposed to have!) received an email from a large corporation that contained information that I paid for. Didn’t get it, so I logged in to my email maintenance console - and there they were.
They were quarantined in a way I’d never seen before. All text and links were struck out. Nothing could be clicked. You could move them around, but they would never pass into visibility in any IMAP folder. The only thing I could do is delete them in the maintenance console. The system would not release them - they were so suspicious that they just wouldn’t. Period.
The first thing I do is check the company in question’s email records using mxtoolbox - and there it is. Two SPF records. While this was acceptable at one point, a change to the way email worked - IN 2014! - made having multiple records of this type a red flag, and any email system worth it’s salt will, at minimum, dump these into spam.
SPF is a text record set in an email service that tells the email server who is allowed to send mail. You’re allowed one. Having more than one means that someone else could have set one without your knowledge - and that leads to all kind of interesting scenarios, the least of which is lots of spam being relayed through your email server.
The change that allowed only one SPF record was made in 2014. That means this large multi-national corporation has had 10 years to make this simple fix to their email system.
My email service didn’t put these in spam, it simply said “Nope, not going to let you have these, they’re suspicious beyond compare.” The fact that it’s a world-wide operating company that many use on a daily basis is even worse. They have the time and resources to take 10 minutes and set their email server up properly. I made a complaint. Will they change it?
No. They literally don’t care. Send an email to the ones set in their other security record (DMARC) and it comes back “mailbox full.” No one is even looking at issues.
So, did I get my information? Yes. I keep a couple of old Gmail addresses for whatever reason - nostalgia I guess. Gmail used to be the gold standard for consumer email service, but now it’s the library book of email services. It accepted the malformed records without complaint, which it absolutely should not have done.
What do you need to take away from this? As email becomes more and more weaponized, you’re going to have more systems rejecting your email. Fix your $&$! crap. If you don’t know how, hire someone to do it for you.
If you don’t, there’s going to be a time when you can’t get your email through. And that’s going to be purely your fault.
Don’t wait. Fix it. Now.