-
Notifications
You must be signed in to change notification settings - Fork 540
Sender Policy Framework
Sender Policy Framwork (SPF) is a standard for authorizing the use of domains in email. SPF is defined in RFC 7208 and uses records published via DNS. The goal of SPF is to reduce the use of email sent with forged source addresses. In short, SPF allows the owners of domains to publicly state what SMTP servers are authorized to send email on their behalf. King Phisher has integrated checks for verifying the targets SPF records. This helps to reduce the chance that messages may be marked as forged.
In summary there are four possible results from a SPF policy match.
| Name | Meaning |
|---|---|
| pass | The client is authorized to use the domain |
| neutral | Authorization can not be determined |
| softfail | The client is probably not authorized to use the domain |
| fail | The client is not authorized to use the domain |
The client can be configured to check the SPF records of the domain from which
messages are being sent. The domain is extracted from the Source Email (SMTP)
field in the message configuration tab. In order to check the SPF records the
SMTP server address must be known. The King Phisher client will make a best
effort attempt to guess the address of the SMTP server based on it's
configuration while taking into account whether or not SSH port-forwarding is in
use. The three check levels that can be configured by the client are "Do Not
Check", Permissive and Strict.
| Check Level | Meaning |
|---|---|
| Do Not Check | Make no attempt to check SPF records |
| Permissive | Make sure that if records are found, the policy does not match in a failure |
| Strict | Make sure that records are found and that the policy matches in either neutral or pass |
SPF records are published via DNS TXT records and can thus be manually inspected
using DNS querying tools such as dig. The following is an example of the King
Phisher SPF record which is a simple "Deny All" (-all) rule.
[user@localhost king-phisher]$ dig txt +short king-phisher.com
"v=spf1 -all"
King Phisher also provides an SPF checking tool which will evalulate the records and show which ones match. This can be useful for debugging purposes.
[user@localhost king-phisher]$ tools/spf_check.py 1.2.3.4 king-phisher.com
[*] target email appears to be just a domain, changed to: c2og0tdg@king-phisher.com
[+] spf policy result: fail
[*] top level spf records found:
[*] #1 (matched) king-phisher.com
[*] #1.1 (matched) -all