1 Fortune 500 out of 3 hasn’t define SPF for its email communications

Once upon a time you were expecting an important email from a friend or a company you were dealing with. While it was crucial and highly time sensitive, it unfortunately went directly to your spam folder and it took you hours to realize it. You can even be happy you did.

Since the dawn of the internet’s email, spams are a nightmare to deal with on a daily basis. The impact on the overall Internet traffic was so huge that technologies and standards have been developed to specifically prevent this burden. Amongst those, one of the easiest to implement and yet very efficient is called SPF, Sender Policy Framework.
Basically, SPF is a way to inform mail servers on the Internet about the legit servers from which the emails from your Internet domain are supposed to come. For IT guys, it is easy to configure as it is just an additional entry to your DNS records stating the name or IP addresses of the mail servers you are using to send your emails.
I will skip the technical details as you can find all the information you need on Wikipedia (https://en.wikipedia.org/wiki/Sender_Policy_Framework) and as I will soon write another article on the subject to provide a few guidelines on how to mitigate this risk, as this is a risk for your companies.
Put you in an entrepreneur shoes and think about it. Nowadays, emails are one of the most used communication mean between customers and suppliers. If your emails are going into the spam folders even one time out of ten, you might lose customers. As spams are a plague for email services, most companies, and even more ISPs, have implemented strong anti-spam technologies. Amongst these, checking SPF record is likely number one. If you have a Gmail or an Outlook account, they use SPF, DKIM or DMARC (I’ll come back to these standards in the next article) to prevent spam and to ensure their messages are reaching their destination. So we would expect large corporation do the same to ensure their communication reach their goal.
As I discovered that some of our clients (amongst which some large enterprises) forgot to implement SPF, I was wondering how often this happen in a larger sample of large companies. Hence, I decided to write a little Python script to check SPF and DMARC records for the Fortune 500 Internet domains.

SPF usage in Fortune 500 To keep it simple, I fed the program with the 2015’s list of Fortune 500 companies and their website and checked whether there was mail servers defines to receive email and if there was a SPF or DMARC record existing in their DNS. Here are the results:

Out of the 500 companies, I removed 39 from the statistics as there was no email server defined to receive emails. It is likely that these companies (or groups) use other domain names to send and receive external emails. On the 461 remaining companies, 333 (72,27%) have a SPF record in their DNS. Meaning 27,77% do not use it. Amongst the Top 500 companies, with Billions of $ in revenue and huge IT and risk management department, this really doesn’t make sense. Even more when we know the cost of such measure: maximum 1 or 2 hours of work for one person. Finding a better quick-win than this one will be a challenge.

One of the possible explanations might be that large companies have often complex structures with dissolved responsibilities and use heavy risk management and security framework in which such little “details” are often not mentioned as they are not considered as a risk for the sacro-saint Confidentiality, Integrity and Availability triad. While, from my point of view, and I guess you will share it, anything that might prevent the company to achieve its objectives must be considered as a risk, even if it doesn’t fit into the model. Everything must come from the business strategy and its processes. One of the biggest challenges in risk management is to keep the alignment between the business processes, their risks and the technical measures implemented.
Conclusion, if your company hasn’t define its SPF record, you know what you have to do and, on a larger picture, don’t trust the framework and the checklists. They are useful but they aren’t tailored for your business so they will miss some important risks. The best level of security are achieved when there is a good communication between the business and the supporting department and that everyone share the same goal, is empowered and understand how the business is done.

The excel sheet with the results is available here: SPF-survey

Setup a proxy server on a Synology

Synology's Proxy Server Package
Synology’s Proxy Server Package

If you have an office network or a home network, you might be willing to use a proxy server to cache and speed up your Internet surfing. More you have machines connected on your network, more likely it is that you will request multiple time the same files (Just imagine how often the Doodle from Google is uploaded on a network with 10 machines on it). A proxy is also a good way to add restriction allowing you to prevent your users to go to undesirable websites or to use unsafe protocols. It can also allow you to request a user authentication before being allowed to access the Internet. Or, it can also allow you to channel all traffic through a privacy protection service like TOR.

Whatever is your reason, if you have a Synology server, setting up a proxy server becomes much easier these days.

There is two parts in setting up a proxy:
1° Install the server
2° Ensure the users will use the proxy.

For the first part, on a synology, it is now really easy. Go to The Packet Center, click on Utilities and select Proxy Server (from Synology inc.). Click on Install, that’s it.

You will have to configure it: Just provide your email address if you want your user to be able to contact you should they have a problem and set the port address on which the server will listen. You can use 8080 but any not used port will do it. Noticed that it is likely that port 80, 443, 5000 and 5001 will be already taken. Usually, we advise not to use port numbers between 1 and 1024 as they are already reserved and assigned to specific services. Above 2048 is even safer. 8080 is quite common for web services or proxy servers. Activate the cache and the connection, check « Activate Automatic Proxy Discovery » in proxy deployment and leave the other parameters by default.

That’s it, your proxy is up and running. Congratulation!

Now you have to tell your computer to use this proxy to navigate in HTTP or HTTPS.

Hopefully, you clicked on activate automatic proxy discovery and it will help.

The first possibility, if you have a standalone computer, is to go to the network settings (it can be through your Internet Explorer or Chrome settings) and set Use a proxy.

To make it easier, you can configure your DNS and/or your DHCP to provide automatically the proxy setting to your client computers using a PAC file (Proxy Automatic Configuration). When clicking on the proxy distribution address, this file was automatically generated and configured for you on your synology.

For the DHCP, you must add the DHCP option 252 (text or String) with the url to the wpad.dat file (example: http://192.168.1.254/wpad.dat)

For the DNS, its even easier, the webserver on which you have placed the wpad.dat file (in the root folder of the server), likely your Synology server, must be know by the allias wpad.your_network.com (where you replace your_network.com by the domain name of your network as define in the DNS server). When configured on Automatic Proxy Configuration, browsers will look for a set of possible variant of http://wpad.my_network.com/wpad.dat. When the file is found, it is used by the browser to configure how it access the Internet using a proxy.

Be sure your computers are set on Automatic Discovery of Proxy settings (in network settings).

Sometimes, the default wpad.dat file generate by Synology will not work perfectly as it might try to use the proxy to access computers on your own network. You can edit the file using an editor (the file is located in the root folder of your web server on the synology) and type something like this:

function FindProxyForURL(url, host)
{
 if (isInNet(host, "192.168.1.0", "255.255.255.0")) {
 return "DIRECT";
 } else {
 return "PROXY 192.168.1.254:8080" ;
 }
}

In that example, 192.168.1.0 is the network address of the local network. 192.168.1.254 is the IP address of the Synology and 8080 the port defined for the proxy server.

Be really careful with wpad.dat file, it is extremely sensitive to misplaced whitespace or the absence of trailing « ; ».

That’s all folks!

Have fun!