Amazon Route 53

Missing Valid Sender Policy Framework(SPF) Entry

This plugin verifies that the TXT or SPF resource record set contains a valid SPF record for each MX resource record set.

Risk Level: High

Description:

This plugin verifies that the TXT or SPF resource record set contains a valid SPF record for each MX resource record set. "v=spf1" must be a valid substring in the record. The SPF record identifies the servers that are permitted to send an email for your domain, which aids in the detection and prevention of email address spoofing and thereby reduces spam. Instead of an SPF record, Route 53 suggests using a TXT record.

About the Service :

Amazon Route 53 is a cloud Domain Name System (DNS) web service that is highly accessible and scalable. It is intended to provide developers and businesses with a highly dependable and cost-effective method of routing end users to Internet applications.

Amazon Route 53 connects user requests to AWS infrastructure such as Amazon EC2 instances, Elastic Load Balancing load balancers, and Amazon S3 buckets, as well as equipment outside of AWS. 

Impact: 

If the SPF records are missing, we wouldn’t be able to identify servers that are able to send emails for your domain and hereby lack the detection and prevention of email address spoofing.

 

Steps to reproduce :

  1. Login to AWS Management Console.
  2. Navigate to Route 53 dashboard. (https://console.aws.amazon.com/route53/ )
  3. Next, move to the “Hosted Zone” in the left navigation panel under Route 53.
  4. Select the hosted zone to examine.
  5. Next, check the record name with type “MX”, if MX exists then TXT or SPF  should exist too. But we can clearly observe that they are missing. This suggests that there exists a missing valid sender policy framework entry.
  6. Repeat steps for other hosted zones.

Steps for remediation :

Recommended Action: For each MX resource record set, create a TXT resource record set that contains a valid SPF value.

  1. Login to AWS Management Console.
  2. Navigate to Route 53 dashboard. (https://console.aws.amazon.com/route53/ )
  3. Next, move to the “Hosted Zone” in the left navigation panel under Route 53.
  4. Select the hosted zone to examine.
  5. Next, check the record name with type “MX”, if MX exists then TXT or SPF  should exist too. But we can clearly observe that they are missing. This suggests that there exists a missing valid sender policy framework entry.
  6. In order to overcome this flaw, we will click on Create Record.
  7. Next, fill in the necessary fields and select the record type as TXT and click on Create Record.
  8. Repeat steps for other hosted zones.


References: