Email remains one of the most important communication tools for businesses, but it’s also one of the most common channels exploited by cybercriminals. One of the easiest ways scammers trick people is through email spoofing, sending a message that looks like it came from a trusted domain when it actually didn’t.
Why Messages Get Quarantined
It can feel frustrating when a message you were expecting ends up flagged and placed in quarantine. But this safeguard exists for a reason, to protect your organization and its people.
Think of it like a medical quarantine:
– If someone may be carrying a contagious illness, they’re separated until doctors confirm it’s safe for them to interact with others.
– Without quarantine, the illness could spread unchecked, causing far greater harm.
Email quarantine works the same way. When a message doesn’t meet authentication checks, it is isolated. While this may occasionally capture a safe message, the system is doing exactly what it was designed for: preventing harmful or fraudulent content from reaching inboxes.
A Real-World Example: Wire Fraud
Here’s the hard truth: a scammer can absolutely send an email that looks like it came from your client.
Imagine this: an accountant receives what appears to be a legitimate message from a trusted client. The email address looks correct, the signature block is copied perfectly, and the message says:
“Please wire $48,500 to the following account by end of day.”
The accountant acts quickly, believing it’s a real instruction. But the client never sent the request. The scammer simply spoofed the domain to look authentic. By the time anyone realizes, the funds are long gone.
This scenario doesn’t just apply to accountants. A CEO could “instruct” their CFO to transfer funds. A vendor could “send” new payment details. A law firm could “share” what appears to be confidential case files.
This is why everyone must accept the slight inconvenience of quarantines. They exist to stop fraudulent instructions from slipping through unnoticed when domains aren’t properly protected with SPF and DMARC records.
What Is an SPF Record?
A Sender Policy Framework (SPF) record is a DNS entry that lists the mail servers authorized to send emails on behalf of your domain. In other words, it tells the world:
“Only these specific servers are allowed to send email using my company’s domain.”
For example, if your domain is yourcompany.com, your SPF record ensures that only the servers you trust are able to send from addresses like [email protected].
How SPF Works with DMARC
SPF doesn’t act alone. It works together with DMARC (Domain-based Message Authentication, Reporting, and Conformance) to strengthen email security.
– SPF: Lists which servers are authorized to send email for your domain.
– DMARC: Tells receiving systems what to do if an email is sent from an unauthorized source (e.g., reject, quarantine, or allow with warnings).
For example:
If a criminal sends a message pretending to be from [email protected] using an unauthorized server, your DMARC record instructs receiving systems to block or quarantine the message. This prevents customers or employees from interacting with something that appears trustworthy but is actually malicious.
Not All Filters Are Equal
One of the challenges businesses face is that different providers apply different levels of filtering. Some may block aggressively, while others let questionable emails through.
SPF and DMARC reduce this inconsistency by setting domain-level rules that all providers can follow. Instead of relying solely on the judgment of a filter, your domain provides clear instructions: which servers are legitimate and what should happen when an unauthorized message is detected.
Common Errors with SPF and DMARC
Even with these protections, mistakes during setup are common. Here are the issues we see most often:
1. Multiple Records Added
Only one SPF and one DMARC record are allowed per domain. Adding multiples will cause lookup errors.
2. Forgetting to Update Records
When moving email services to a new server, many businesses forget to update their SPF record, causing messages to fail authentication.
3. Missing Records Entirely
Some companies don’t have SPF or DMARC records at all, leaving their domain completely unprotected.
4. SPF Without DMARC
Having an SPF record is good, but without DMARC there’s no instruction for what to do with unauthorized traffic.
5. Too Many DNS Lookups
SPF records can only include 10 DNS lookups (including nested ones). Exceeding this limit will break the record.
The Real Cost of Email Fraud
Did you know?
Business Email Compromise (BEC) alone cost organizations almost $3 billion in 2024, part of $16.6 billion lost to internet scams overall, according to the FBI’s Internet Crime Complaint Center (IC3). These attacks are accelerating, and even a single undetected spoofed email can result in massive losses.
This is why layered security matters.
Layered Security — brought to you by Document Solutions