What is a Supply Chain Scan?
Core features are broken into 5 categories. It's through the aggregation of these features that we gain a full picture of your email infrastructure.
We perform 14 checks against SPF & DMARC configurations, as follows:
| # | Issue Title | Issue Detail | Severity |
|---|---|---|---|
| 0 | Non-existent domain | The DNS resolver raised an NXDomain error for "{domain}". Mail receivers will be unable to resolve a DNS response for your domain and will almost certainly flag any mail as spam." | Low |
| 1 | No SPF record exists | There is no SPF DNS record for "{domain}". Mail receivers have no mechanism to determine what your authorised mail servers are. Mail receivers will pass authentication checks with a "None" result, indicating no check could be performed. Spoofed emails are likely to be accepted. | High |
| 2 | No SPF "all" mechanism set or set to "?all" | The "all" mechanism at the end of the end of an SPF record tells receivers how to treat unauthorised (i.e. spoofed) emails - if the mechanism is missing or set to "?all", failed authentication checks will always return a "Neutral" result which many receivers interpret to accept all mail from "{domain}" (including spoofed emails).. | High |
| 3 | SPF "+all" (Pass) mechanism set | The "all" mechanism at the end of the end of an SPF record tells receivers how to treat unauthorised (i.e. spoofed) emails - the "+all" setting tells receivers to pass/accept all mail from "{domain}" (including spoofed emails). | Very High |
| 4 | SPF "~all" (SoftFail) mechanism set | The "all" mechanism at the end of the end of an SPF record tells receivers how to treat unauthorised (i.e. spoofed) emails - the "~all" setting tells receivers to 'SoftFail' (i.e. quarantine) emails that fail SPF authentication. In practice however, many email filters only slightly raise the total spam score and accept 'SoftFailed' (i.e. spoofed) emails. | Medium |
| 5 | SPF has too many lookups for receiver validation | The SPF record requires more than 10 DNS lookups for the validation process. The RFC states that maximum 10 lookups are allowed. As a result, recipients may throw a PermError instead of proceeding with SPF validation. Recipients treat these errors differently than a hard or soft SPF fail , but some will continue processing the mail (i.e. accept spoofed emails). | Medium |
| 6 | No SPF sub-domain record exists | The SPF sub-domain policy is a catch-all mechanism used to prevent threat actors from maliciously spoofing sub-domains from which an explicit SPF record hasn't been set. This is typically represented through a DNS entry similar to "* IN TXT v=spf1 -all", effectively telling recipients to block mail if an explicit SPF entry for the sub-domain hasn't been set. | Medium |
| 7 | No DMARC record exists | There is no DMARC DNS Record set for the domain. Spoofed emails utilising an attack technique known as SPF-bypass are likely to be accepted. See FAQs for more information. | High |
| 8 | Insecure DMARC policy 'p' qualifier | The DMARC policy 'p' qualifier is "none". If the DMARC policy is neither "reject" nor "quarantine", spoofed emails utilising an attack technique known as SPF-bypass are likely to be accepted. See FAQs for more information. | High |
| 9 | Insecure DMARC sub-domain 'sp' qualifier | The DMARC policy 'sp' qualifier for sub-domains is set to "none". If the DMARC policy is neither "reject" nor "quarantine", spoofed emails from any "{domain}" sub-domain utilising an attack technique known as SPF-bypass are likely to be accepted. See FAQs for more information. | High |
| 10 | Partial DMARC coverage | The DMARC "pct" value is set to less than '100' (i.e. 100%), meaning the DMARC policy will only be applied to a percentage of incoming mail. A threat actor can continously deliver spoofed emails (via SPF-bypass) until the DMARC policy isn't applied and mail is accepted. See FAQs for more information. | Medium |
| 11 | DNS Timeout during Scan | There was a DNS timeout when querying "{domain}". This will result in an SPF temperror and any mail will likely be flagged as spam by mail receivers (affecting legitimate mail delivery) | Low |
| 12 | Trivial SPF lookup | The SPF record is configured with one or more redundant lookups in the validation chain for "{domain}". This may result in an SPF PermError if a loop exists and more than 10 lookups are performed. Recipients treat a PermError differently than a hard or soft SPF fail , but many will continue processing the mail (i.e. accept spoofed emails). | Medium |
| 13 | At least one IP address is vulnerable to takeover | A scan of available AWS IP addresses has indicated that one or more IP Addresses within the SPF record are vulnerable to IP takeover attacks. | Very High |
We use a variety of proprietary techniques to identify what mail gateways, spam filters and malware filters any given mail receiver is utilising. We then determine whether the filtering technologies are vulnerable to bypass. At current we support detection of the following technologies:
- Cisco IronPort
- Sophos PureMessage
- Sophos ESA
- Trustwave SEG
- Exchange Antispam Protection
- Exchange Online Protection
- Proofpoint SEG
- FireEye MX
- FireEye ETP Cloud
- Forcepoint SEG
- Forcepoint Cloud
- Trend Micro HES
- Symantec MessageLabs
- Mimecast SEG
- Clearswift SEG
- Google Mail Protection
- Yahoo Mail Protection
- Barracuda Email Security
We recursively query your SPF record and all lookups within it, allowing us to identify all IPv4 and IPv6 IP addresses in-use. Once identified, we collate IP ownership information, providing you with a mechanism to see who operates your downstream mail sender infrastructure.
We enhance the view of your mail sender supply chain by pulling near exact geolocation information. We provide this information in both a tabular format but also visualised on a world map. This can assist with identification of geolocation motivated risks - e.g. if you're a Federal Government Agency in a Five-Eyes Country, it would be best to avoid use of mail infrastructure owned by a hostile nations ISP and operated out of said nation.
We subscribe to multiple IP-driven blacklists which identify IPs that are associated with:
- Unsolicated Bulk Emails, Spam Operations & Spam Services (i.e. Low Reputation Senders)
- Snowshoe spam, whereby spammers are actively attempting to evade spam detection (i.e. Low Reputation Senders)
- Hijacked endpoints infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.
- End-user (non-MTA) addresses which are dynamically allocated to residential users (i.e. Low Reputation Senders)