This week's email is going to be a short introduction to something important but it's something I want you all to do as regular triage for SpamTitan.


So first let's explain what they do:

SPF (Sender Policy Framework): 
Imagine you're expecting a letter from a friend, but you want to make sure it's actually from them and not someone pretending to be them. SPF is like checking the return address on the envelope. Websites use SPF to declare which mail servers are allowed to send emails on their behalf. When an email is received, the recipient's mail server checks the SPF record of the sender's domain to see if the sending mail server is authorized to send emails for that domain.

DMARC (Domain-based Message Authentication, Reporting, and Conformance):
Now, let's say you not only want to check the return address but also want to get a report if someone tries to impersonate your friend. DMARC is like having a security camera on your mailbox. It helps prevent email spoofing and phishing attacks by providing a way for email senders to declare their policy for emails sent from their domain and for email recipients to determine what to do if they receive emails that fail authentication checks. DMARC also allows senders to receive reports on emails that pass or fail authentication, helping them monitor and improve their email security.

So, SPF ensures that the sender's server is allowed to send emails on behalf of a domain, and DMARC adds an extra layer of security by specifying what actions should be taken if an email fails SPF or DKIM (another email authentication method) checks, and by providing feedback to the sender about these events.

Why is this important?

Imagine you bought a fancy house with the best possible security systems on the market (SpamTitan), well it's not much use if you don't bother closing your front gate and locking the door (SPF and DMARC).

These two things are the primary protection against domain spoofing and customers need to have them set up. 

Get into the habit of checking if the customer has these set up because it'll save you tickets in the future. If we give customers the right advice straight off the bat they have a lot less problems going forward and nothing will make a customer jump ship faster than a spoofed mail that caused an employee to pay out to a scammer.

Also if someone drew your attention to something that was making you vulnerable you would trust them a lot more in the future.

This is a very easy opportunity to offer proactive support and reduce tickets for future you.

How to check SPF:

amalone@support:~$ dig TXT +short
"v=spf1 ~all"

To check DMARC you can use MXtoolbox:

Or even better, use the command line:

dig @ TXT


; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> @ TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34363
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1


; EDNS: version: 0, flags:; udp: 512
;            IN      TXT


;; ANSWER SECTION:     2983    IN      TXT     "v=DMARC1; p=none; fo=1;,;"


;; Query time: 239 msec
;; WHEN: Wed May 15 13:21:32 IST 2024
;; MSG SIZE  rcvd: 194

We can look at what the actual syntax means at a later stage but make this a standard check you perform on all spamtitan tickets in the same way you would check the customer's mx records.