Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Supplemental Data Table: Email Protection DNS Record Configuration Issues

            Introduction

            If Field Effect MDR detects any email DNS misconfigurations or issues with a domain, we will provide you with an

            "Email Protection DNS Record Configuration Issues" table in the MDR Portal's Supplemental Data page (Insights section). 

             

            A single ARO will be generated per domain, with an aggregated list of all detected issues. But, to reduce ARO noise, we will not send any AROs if issues are identified for a large number of domains. If you would still like to receive AROs, regardless of the volume, please contact us.


            Here is an example of the table in the MDE Portal:  



            This table may include one or several detections that were identified, and this article provides guidance and references for each detection to help you resolve any issues present with your email domains.    


            Detections and Guidance

            Use the sections below to learn about the detections found in this table, and to learn more on how to resolve the issue. 


            Detection
            		DescriptionGuidance
            SPF record not found
            		SPF records help protect your domain from being spoofed.

            Create an SPF record for your domain using this guide:

            https://globalcyberalliance.org/wp-content/uploads/SPF-Setup-Guide.pdf

            SPF default policy is None or Soft-Fail
            		Failure policy should be set to Hard-Fail to ensure only authorized IPs in the SPF record can send mail.

            We recommend using a Hard-Fail policy by specifying the following tag: "-all".

            SPF record exceeds maximum DNS lookups
            		SPF requires there are no more than 10 lookups in the record. This helps prevent Denial-of-Service attacks.

            The "include", "a", "mx", "ptr", and "exists" mechanisms and "redirect" modifier all count towards an SPF record's DNS lookup limit. Remove unnecessary mechanisms, such as multiple "include", to ensure you have 10 or less DNS lookups. "ip4" and "ip6" mechanisms do not count towards the DNS lookup limit, so if possible use them instead of "include".

            For further guidance, see: https://learn.microsoft.com/en-us/defender-office-365/email-authentication-spf-configure#troubleshooting-spf-txt-records

            SPF record invalid (multiple records)
            		SPF requires one record only, and additional records must be removed for it to work correctly.

            Combine your SPF records, ensuring there are no more than 10 DNS lookups.

            SPF record invalid (syntax error)
            		The structure of the SPF record is invalid, and must be fixed for it to work correctly

            Review the following guides for more information on SPF syntax:

            https://globalcyberalliance.org/wp-content/uploads/SPF-Setup-Guide.pdf

            https://learn.microsoft.com/en-us/defender-office-365/email-authentication-spf-configure#troubleshooting-spf-txt-records.

            SPF record invalid ("include" loop)
            		The "include" mechanism cannot reference the domain itself, as it causes a recursive loop.

            Remove this "include" mechanism from the SPF record.

            SPF record invalid (too many void DNS lookups)SPF requires there are no more than 2 lookups that return an empty or no domain response. This helps prevent Denial-of-Service attacks.

            Review your SPF record and remove the mechanisms that return an empty or no domain response.


            SPF record invalid (problematic "include" clause)

            		The SPF record contains an invalid "include" mechanism, and must be fixed for it to work correctly.
            		Review your SPF record "include" mechanisms.
            SPF record contains characters following the "all" tag
            		The "all" tag concludes an SPF record, and any characters following it will be ignored.

            An SPF record must contain only one "all" tag, and it must be placed at the end of the record. Reformat your SPF record to ensure this is followed.


            DMARC record not found

            		DMARC records help prevent your domain from unauthorized use.

            Create a DMARC record for your domain using this guide:

            https://dmarcguide.globalcyberalliance.org/#/

            DMARC record invalid (syntax error)
            		The structure of the DMARC record is invalid, and must be fixed for it to work correctly.

            Review the following guides for more information on SPF syntax:

            https://www.globalcyberalliance.org/dmarc

            https://dmarcguide.globalcyberalliance.org/#

            DMARC record invalid (multiple records)

            DMARC requires one record only, and additional records must be removed for it to work correctly.

            		Combine your DMARC records.
            DMARC default policy is None

            Failure policy should be set to Reject or Quarantine. This prevents unauthorized emails from being delivered, or marks them as suspicious.

            		 
            We recommend using a Reject failure policy with "p=reject" or Quarantine with "p=quarantine".

            See Do i need to use DMARC for more.




            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0