Sender Policy Framework (SPF) is an email authentication method used for detecting forged sender addresses in emails. Essentially, it’s part of the security toolkit used to counter forged visible email addresses, or email spoofing, which is one way how spammers and phishers try to trick you. Reading up on it, I decided to check how many high-profile business law firms in Finland currently use SPF for their email domains. Turns out, many don’t. You can read about that further below.
How does it work?
The Simple Mail Transfer Protocol (SMTP), the relevant Internet standard for email transmission, basically allows anyone to send email claiming to be from any source email address. SPF, then, allows the owner of an Internet domain to specify which computers are authorized to send mail under addresses in that domain. So, say, you were Avance Attorneys and wanted to make sure that email from @avance.com only makes it effectively through to the recipient when sent from their Office 365 mail server or from the servers of an emailer application used for client newsletters. What you would do is add the addresses of those servers to the SPF record, which is a part of the Domain Name System (DNS) records of the domain. And that is pretty much what they have done.
One limitation of SPF is that we’re not actually talking about the readily visible source addresses, the ones people see when looking at an email, but the so-called envelope-from address transmitted along the message. However, email clients check for SPF records, so forged emails are in any case more likely to be caught in spam filters.
Who’s a bad boy?
Querying for SPF records of different law firm domains (on 20 Feb 2020) through this service, this is what I found:
| Domain | SPF? |
|---|---|
| avance.com | yes |
| borenius.com | no |
| castren.fi | no |
| dittmar.fi | yes |
| hannessnellman.fi | no |
| hpp.fi | yes |
| krogerus.com | no |
| roschier.com | yes |
| twobirds.com | yes |
| whitecase.com | yes |
| ww.fi | yes |
Interestingly, the SPF records also leak out information about some systems at use in those firms. For example, including the domain spf.protection.outlook.com seems to indicate that firms like Avance, HPP and Roschier have embraced Office 365 and are using a cloud-hosted version of Exchange. You can also see some third-party mailer services in use. As for firms that don’t have any SPF records, I’m not sure how much you can read into it regarding their general security posture — but ouch, you failed this one!