E-mail Protection Guides - Vipre and SPF

Background - SPF failures

In addition to the spam that has been around for years there is an ever-increasing number of attempts to breach organisation’s security by sending "phishing" e-mail and e-mail containing malware. Systems such as Vipre (Fusemail) provide protection by scanning the e-mail’s contents and filtering accordingly.

One technology the filtering services have started enforcing is "Sender Protection Framework" (SPF). This has been around for many years, however, until recently these service providers did not enforce it because not many companies had it configured for sending e-mail. SPF is a way for a company to indicate what systems are allowed to send e-mail on its behalf. If an e-mail fails SPF checks it is implied that the system, or domain, it is coming from is not on the approved list.

Recent changes - why this is affecting you now?

Recently, Vipre (and other similar systems such as Microsoft ATP) have been tightening up how their mail filters handle security to help prevent spoofed email phishing attacks. 

Vipre are now using SPF as a strong signal to alert people of potentially spoofed e-mail, and there is an increasing tendency for e-mail detected as spoof to be quarantined. This does mean it has become more important for recipients to regularly check their quarantine.

Our customers often forward on quarantined e-mails to ask why they've been blocked. We have configured Vipre to indicate when a message has been quarantined due to an SPF failure. When investigating further it usually turns out that the company sending the e-mail has not set up their SPF record correctly. This can be for several reasons - they might have initially had it set up correctly, then changed e-mail provider, and not realised that they needed to update their SPF record. Or they may have started using additional systems to send e-mails. For example, companies may send e-mail from their CRM, quotation system, accounting system, purchasing system, or a marketing system such as Mailchimp or Hubspot.

 

The "SPF record" is a setting in a company's Domain Name System (DNS) which tells anyone on the Internet which e-mail servers are trusted to send e-mail on their behalf.  Therefore if an e-mail is sent from a system that is not in that list of trusted servers, or if no SPF record has been set up, then the receiving system will, quite correctly, identify that the sender is not a trusted sender. 

The protections are in place to protect the company sending the e-mail from being impersonated and they are there to protect you from receiving a spoofed e-mail.

 

What to do if you receive an e-mail and it gets quarantined due to an SPF failure

If an e-mail is held in quarantine due to an SPF failure and you are confident that it is genuine then you can release it as a one off. However, you should be aware that the message may not be real and may have been spoofed. You should take care, and if you're unsure then please contact our support team to check it for you. More significantly, even if you know it is real, releasing it from quarantine will only release the e-mail. It won’t white-list the sender so if they send you another e-mail it will also be quarantined. 

Because the problem is usually a misconfigured or missing SPF record the best solution may be to guide the sender to get their IT person/support company to check that their SPF record is set up correctly.

 

You can read more about SPF in "plain English" here:

https://www.validity.com/blog/how-to-explain-spf-in-plain-english/

If you are a Cambridge Networks customer and would like us to check a message you have received to confirm that it has been quarantined due to an SPF failure, then please do feel free to contact our support team. If you have been directed to this page by the Cambridge Networks support team, or we have informed you that an e-mail has been quarantined due to an incorrect SPF record, you may want to forward the text below (in italics) to the person who sent you the quarantined message. This will help your customers/supplier/contact improve their system, and ensure you get genuine messages from them:

"Unfortunately, an e-mail sent by you has been quarantined by our mail filter as it failed SPF (Sender Policy Framework) checks. There has been a recent tightening of security by service providers on how mail filters to help prevent spoofed email phishing attacks. Your e-mail was quarantined due to an incorrectly configured SPF record in your company's domain name system (DNS). Your organisation's IT team/web developer will need to investigate further and ensure a relevant "SPF record" is included in the DNS for all services you are using to send e-mail. This includes third party solutions such as Mailchimp and CRMs.

 

As security has been tightened across several mail filter services, including Microsoft Exchange Online and Vipre, you may find email you are sending to other companies is also being quarantined. Therefore we encourage you to get this investigated. For further guidance please refer to the support documentation provided by the services you are using.

As I am not technical myself, I have been given this explanation to pass on to you.  You can read more about SPF in plain English here: https://www.validity.com/blog/how-to-explain-spf-in-plain-english/

"