Information
For each authoritative domain that receives SMTP email, add either an SPF (Sender Policy Framework) TXT record and/or add a DKIM (DomainKeys Identified Mail) TXT record.
Rationale:
The SPF record reduces spam and phishing usage of a domain name, by publishing the IP addresses of the authorized mail servers, allowed to send mail for the domain. SPF compliant mail servers may reject or treat as SPAM, any mail coming from other IP addresses.
The DKIM record publishes a public key which may be used to verify the authenticity and integrity of the message by using the key to verify a digital signature of the message stored in an SMTP header.
Either or both of the technologies is recommended to be configured for each domain, to reduced spoofing and phishing attacks that use the domains in a FROM address. Consider the risk of a spoofed phishing email coming from upper management with an urgent request which had a valid FROM address. It might be too easy for someone to trust the email and take the action requested. In addition to SPF and DKIM, configuring a DMARC record, after SPF and/or DKIM records are in place, is helpful for reporting and forensics on attempted usage of the domain name. Only the SPF and DKIM DNS records are audited in this recommendation.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Add either an SPF TXT record and/or a default DKIM TXT record to the domains with the appropriate values. The SPF record should have a soft fail policy of ~all or a strict policy of -all There are on-line resources and tools such as MX toolbox that will help in generating and testing SPF, DKIM and DMARC records as shown in the references.
Default Value:
No SPF or DKIM records are configured by default.