Introduction

Many Companies we see today ignore the basic email validation process which eventually jeopardizes their reputation when they send emails since their emails received by people show a warning sign or a question mark (?) and many people start having apprehensions as to who exactly sent the email – some authorized company official or some hacker trying to gain access to their crucial information?

The implementation of email validation is quite simple yet many companies don’t bother to implement such measures or perhaps many companies have miss-configured email servers which can fail the validation process. The question often asked is – Why exactly? Why many companies ignore such important security measures and what can they do about it? The answer to this question may not be that simple. It could be that some companies have many subdomains of their website and they often implement email validation process on one of the subdomains (and not on the Top Level domain) leaving other sub-domain miss-configured which causes some emails being validated by email servers but emails generated from other sub-domain fail to validate.

Many big companies like Nokia, DCON, etc are some of the companies which have their email-server still miss-configured at the time of writing of this post. So what is wrong or what exactly is miss-configured? Now to understand that first take a look at how email validation works. How does your Gmail or Hotmail email server (or any other email server) determines that an email you received is actually sent by someone you think it is from?

What I mean is, one can easily change the identity of an email before sending it. For example, I can send a forged/tampered email to say, Bob such that Bob would think he received an email from Alice while Alice has no clue that someone has just used her identity to send emails. When email was launched, there was no way of authenticating the identity of a sender initially. So, back in April 2006, a new method for validating a sender’s identity was proposed in RFC4408 which outlines the introduction of a new protocol called Sender Policy Framework(SPF).

What is an SPF ?

Before I explain what SPF is, first let me clear it out what SPF is not. SPF here is not used for Sun Protection Factor that you often find on sunscreens and lotions etc. This SPF is different.This SPF is a kind of record that you keep in your DNS that is used to indicate to mail exchanges which hosts are authorized to send mail on behalf of a domain. It is basically a TXT record that is created in DNS which prevents any unauthorized person from using a domain to send emails. For example, if Alice has created an SPF record in her DNS which lists all the authorized hosts, then Bob would get a confirmation when he receives an authentic email from Alice but would get a warning sign/question mark if Bob receives an email from an unauthorized host. So, in the example in the last section, if I send an email to Bob and send my identity as Alice, Bob’s mail-server would know that the received email is NOT actually from Alice since the host used to send the email is not one of the hosts Alice has declared as authorized hosts.

SPF Record Format

This section is only for those who already have a web-domain or are responsible for the management of their company’s web-domain. If you don't have to configure any SPF record yourself, you can skip this section and go to next section.

An SPF record is typically defined using a TXT record type. It has the following format

v = spf1 a mx ip4:X.X.X.X include:_spf.google.com ~all

Here, v=spf1 is used to indicate that this is an SPF record, 'include:' followed by the address of your email exchange server address is used to indicate your authorized host (you can add multiple hosts), and '~all' indicate what should be done if an email sent from unauthorized host is received by someone. In case it is '~all', it refers to Softfail which means the email should simply be put in spam folder. In case it is '-all', it refers to Hardfail which means the received email should direclty be deleted (Not received at all all or bounced back). What is important to note is that '~all' or '-all' is always written in the end of the record.

Once configured, you can check as well if you configured it correctly by following this link and scanning your DNS entries for a correct SPF entry.

If however, you still have SPF miss-configured, the above link will show No correct SPF found in results. So, you would get an idea if your SPF is correct or not.

Why is it important for you to know?

You must be wondering you don’t have company (yet, maybe in future you will), then why you need to worry about such things at all. Indeed you are right that you need not check the configurations of an email server that you don’t have yet. But the point I am trying to make here is that you need not own a company or a website domain to learn this thing

Many people get scammed on a daily basis and one of the primary mode of attack a hacker might select is using “Emails”. People often say they never knew whether sending an email from someone else’s identity is even possible. Scammer often take advantage of this little known fact and send emails claiming to be some company officials. You might have already received some or the other scam email from some fake Government employee/Fake Prizes/Lottery Scam/some bank claiming to be official bank employee and asking you to confirm your order or perform regular security check in response to which some people might have given their credentials. While almost all the banks now-a-days have their email servers configured that only an email from their authorized hosts should be delivered to a person, while emails from all other hosts should be bounced (not delivered at all to anyone, deleted on its way). This is a good practice for banks and similar institutions. You see, how important it is to validate an email before even reading an email, let alone replying to such emails.

What exactly you need to check then?

You understood well enough what is email validation and why it is so important for you to verify the sender of an email before opening/replying to any invalidated email. Now lets see how can you check which email is a valid email and which email is not. To be frank, it is not very hard to spot an invalid one. Many people use Gmail/Hotmail as their email service provider. Gmail does a good job at displaying such invalidated emails using a question mark right before the “mail-from” header in an email, as shown below

Hovering you mouse over this question mark will show some more information saying “Gmail couldn’t verify that [sender] actually sent this email”. Hotmail does a very similar job on identifying an invalidated email. If the email, however, is validated and gmail can confirm this validation then you would probably see email header somewhat as shown below. You would not see a question mark, rather an illustration representing a person.

There are a lot of companies which have their email-servers miss-configured. A company's reputation is all it has and it certainly is not easy to earn. Reputation can be compromised to some extent due to such petty miss-configurations.

Emails form a fundamental part of our digital communications in today’s world. A major percentage of online scams occur by using such invalidated emails coupled with lack of awareness among people about general online safety and security fundamentals. So, do share this post with your friends and family and let them be aware as well.

---