Sender Policy Framework In Use

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: Route53-008

Ensure that your Amazon Route 53 hosted zone has a TXT record that implements the Sender Policy Framework (SPF) for the corresponding MX record available within the DNS zone. The Sender Policy Framework enables your AWS Route 53 registered domain to publicly state which mail servers are authorized to send emails on its behalf.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Implementing Sender Policy Framework (SPF) for your Amazon Route 53 domain name will help you detect and stop email address spoofing in order to reduce spam and increase your domain trustworthiness.

Note: This conformity rule assumes that your Route 53 domain name is using an MX record for declaring the server(s) that should handle the email delivery.


Audit

To determine if your Amazon Route 53 hosted zone contain a TXT DNS record with SPF information for the corresponding MX record, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

03 In the left navigation panel, under Dashboard, click Hosted Zones.

04 Click on the domain name of the hosted zone that you want to examine.

05 In the Records section, select Type from the Filter record sets by property or value dropdown menu, type TXT, and press Enter. This filtering method will return all the TXT DNS records created for the selected domain. If the filtering process does not return any TXT entries, the selected domain does not use TXT DNS records to implement Sender Policy Framework (SPF) for the corresponding MX records. If the filtering process returns one or more TXT records, check their value listed in Value/Route traffic to column. If their value does not contain v=spf1 (e.g. "v=spf1 ip4:192.168.0.5/16 -all"), the selected domain name is not using the Sender Policy Framework (SPF) for the corresponding MX records.

06 Repeat steps no. 4 and 5 for each DNS hosted zone created with Amazon Route 53 service.

Using AWS CLI

01 Run list-hosted-zones command (OSX/Linux/UNIX) to list the IDs of all the DNS hosted zones created within your AWS cloud account:

aws route53 list-hosted-zones
	--query "HostedZones[*].Id"

02 The command output should return an array with the requested hosted zone IDs:

[
    "/hostedzone/ABCD1234ABCD1234ABCD",
    "/hostedzone/ABCDABCDABCDABCDABCD"
]

03 Run list-resource-record-sets command (OSX/Linux/UNIX) using the ID of the hosted zone that you want to examine as identifier parameter and custom query filters to describe the TXT DNS records created for the selected domain name:

aws route53 list-resource-record-sets
	--hosted-zone-id "/hostedzone/ABCD1234ABCD1234ABCD"
	--query "ResourceRecordSets[?Type == 'TXT']"

04 The command output should return an array with all the TXT DNS record sets created for the specified Amazon Route 53 hosted zone:

  1. If the array returned as output is empty, i.e. [], the selected domain name does not use TXT DNS records to implement Sender Policy Framework (SPF) for the corresponding MX records:
    []
    
  2. If the command output returns an array with one or more TXT DNS records, as shown in the example below, check the value configured for the ResourceRecords.Value property. If this configuration value does not contain v=spf1 (for example, "v=spf1 ip4:192.168.0.5/16 -all"), the selected domain name is not using the Sender Policy Framework (SPF) for the corresponding MX records, therefore the domain is not SPF-protected:
    [
        {
            "ResourceRecords": [
                {
                    "Value": "\"google-site-verification=1234-abcd-1234-abcd\""
                }
            ],
            "Type": "TXT",
            "Name": "cloudconformity.com.",
            "TTL": 300
        }
    ]
    

05 Repeat steps no. 3 and 4 for each DNS hosted zone created with Amazon Route 53 service within your AWS cloud account.

Remediation / Resolution

To implement Sender Policy Framework (SPF) for all the corresponding MX records using Route 53 TXT DNS records, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

03 In the left navigation panel, under Dashboard, click Hosted Zones.

04 Click on the domain name of the DNS hosted zone that you want to reconfigure.

05 On the selected hosted zone configuration page, create a new TXT record by completing the following actions:

  1. In the Records section, click Create Record button to initiate the setup process.
  2. Choose Simple routing from the Routing policy menu, then click Next to continue.
  3. Click on Define simple record and perform the following:
    • Leave the Record name field empty.
    • Select IP address or another value depending on the record type from the Value/Route traffic to dropdown list and type the required SPF value in the corresponding box, for example "v=spf1 include:_spf.google.com ~all". If you don't use Google mail servers, replace include:_spf.google.com with your mail server hostame/IPv4 address, e.g. "v=spf1 ip4:192.168.0.5/16 -all".
    • From the Record type dropdown menu, choose TXT – Used to verify email senders and for application-specific values.
    • In the TTL (Seconds) box, enter a value of 3600 (1 hour) as Time to Live (TTL) value.
    • Select Define simple record to save the record set.
  4. Click on Create records to create a new TXT DNS record that implement the Sender Policy Framework (SPF) for the corresponding MX record.

06 Repeat step no. 4 and 5 to implement the Sender Policy Framework (SPF) for each Route 53 domain name with corresponding MX records.

Using AWS CLI

01 To define the required SPF TXT-based record set and add it to an existing DNS hosted zone, you must create an AWS Route 53 change file, declare the new DNS record set, and save the record definition to a JSON file named spf-txt-record-set.json. The following example describes a TXT record definition that implements the Sender Policy Framework (SPF) for a domain name called cloudconformity.com, using Google mail servers as servers that are allowed to send mail for the specified domain:

{
  "Comment": "SPF TXT-based record set for cloudconformity.com hosted zone.",
  "Changes": [
    {
      "Action": "CREATE",
      "ResourceRecordSet": {
        "Name": "cloudconformity.com.",
        "Type": "TXT",
        "TTL": 3600,
        "ResourceRecords": [
          {
            "Value": "\"v=spf1 include:_spf.google.com ~all\""
          }
        ]
      }
    }
  ]
}

02 Run change-resource-record-sets command (OSX/Linux/UNIX) using the ID of the DNS hosted zone that you want to reconfigure as identifier parameter and the AWS Route 53 change file defined at the previous step (i.e. spf-txt-record-set.json) to add the new TXT DNS record that implement the Sender Policy Framework (SPF) for the corresponding MX record within the selected hosted zone:

aws route53 change-resource-record-sets
	--hosted-zone-id "/hostedzone/ABCD1234ABCD1234ABCD"
	--change-batch file://spf-txt-record-set.json

03 The command output should return the new DNS record set metadata, e.g.:

{
    "ChangeInfo": {
        "Status": "PENDING",
        "Comment": "SPF TXT-based record set for cloudconformity.com hosted zone.",
        "SubmittedAt": "2020-08-11T15:00:00.000Z",
        "Id": "/change/ABCDABCDABCDABCDABCD"
    }
}

04 Run get-change command (OSX/Linux/UNIX) using the AWS Route 53 change file ID returned at the previous step to get the current status for the newly added DNS record set:

aws route53 get-change
	--id "/change/ABCDABCDABCDABCDABCD"

05 The command output should return the current status of the DNS record batch request. The current status should be INSYNC, which indicates that the change was fully propagated to all AWS Route 53 DNS server nodes:

{
    "ChangeInfo": {
        "Status": "INSYNC",
        "Comment": "SPF TXT-based record set for cloudconformity.com hosted zone.",
        "SubmittedAt": "2020-08-11T16:00:00.000Z",
        "Id": "/change/ABCDABCDABCDABCDABCD"
    }
}

06 Repeat steps no. 1 – 5 to implement the Sender Policy Framework (SPF) for each Route 53 domain name with corresponding MX records.

References

Publication date Aug 17, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Sender Policy Framework In Use

Risk level: Medium