Fail Hard
Julie Ahlstedt
Montreal's Olympic Stadium is often considered the most poorly managed construction project ever. What started as a $140 million project ballooned to over $3 billion. Every moment of this stadium's 50-year legacy is laced with failure. This episode explores how the stadium went off the rails and what we can learn from it.
On the receiving end, Terry Zink, who works in enterprise spam filtering, offers a strong case for hard Fail to prevent phishing emails from going through, and says most people use SoftFail because organizations are more afraid of emails being lost than about forged emails. What is the likelihood that a forged phishing email which SPF SoftFails actually gets to someone's inbox?
As mentioned above, the caveat with SPF is that it checked against SMTP envelope sender, saved in the message header field Return-Path. An actual recipient will have no knowledge of this field, because most email clients will only present them with an other field, the header From. For example: I send an email with a header From: [email protected], but I use [email protected] as the envelope sender. Even though microsoft.com publishes a Fail SPF policy, it will not fail SPF because example.com does not publish an SPF record. The recipient will just see an email from [email protected].
Use the --soft-fail-on option to pass one or more check IDs (including wildcards) and / or severity levels to specify which failed checks will result in a soft fail result. Any failed check that does not match a criteria in the soft-fail list will result in an error exit code (1).
For soft fails, a failed check matches the threshold if its severity is less than or equal to the soft fail severity. If you specify more than one severity for soft fail, then the highest severity will be used as the threshold.
Use the --hard-fail-on option to pass one or more check IDs and / or severity levels to specify which failed checks will result in an error result. If all failed checks do not match any criteria in the hard-fail list, then the result of the scan will be a soft fail (0).
For hard fails, a a failed check matches the threshold if its severity is greater than or equal to the hard fail severity. If you specify more than one severity for hard fail, then the lowest severity will be used as the threshold.
Checkov can download enforcement rules that you configure in the Prisma Cloud platform. This allows you to centralize the failure and check threshold configurations, instead of defining them in each pipeline.
Enforcement rules allow you to specify a hard-fail severity threshold equivalent to using the --hard-fail-on argument in Checkov. However, whereas this argument is global, the enforcement rules settings are more granular, for each major category of scanner that Checkov has (IaC, secrets, etc). So, for example, you can hard-fail any IaC scan on MEDIUM severity or higher, and hard-fail the SCA scan on HIGH severity or higher.
You can combine the platform enforcement rules with the --soft-fail, --soft-fail-on, and --hard-fail-on arguments to customize the options for a specific run. It will have the following effects. Note that these flags are still global and will get merged with the relevant enforcement rule for the particular framework being scanned.
DMARC (Domain-based Message Authentication, Reporting and Conformance) specifies these possible errors (non-pass) in SPF (Sender Policy Framework) authentication: none, neutral, fail (hard fail), softfail (soft fail), temperror (temporary error), and permerror (permanent error).
It's straightforward enough in the pass scenario when everything goes well: the SPF record exists, is syntactically correct, and the IP address in question appears on the list. However, it gets a bit tricky when SPF authentication fails, for various reasons.
SPF neutral can be interpreted in DMARC as either pass or fail (!), depending on how you set up DMARC on your email server. This is normally controlled by a flag in your DMARC setup, and it varies across DMARC packages. In OpenDMARC by Trusted Domain, SPF neutral is interpreted in DMARC as fail by default.
SPF softfail is a weak statement that the host is probably not authorized. The domain has not published a stronger, more definitive policy that results in a "fail". This is typically implemented by appending a all mechanism to an SPF record. When this mechanism is evaluated, any IP address will cause SPF to return a softfail result.
Like neutral, SPF softfail can be interpreted in DMARC as either pass or fail, depending on how you set up DMARC on your email server. In OpenDMARC, SPF softfail is interpreted in DMARC as fail by default.
SPF fail, also known as SPF hardfail, is an explicit statement that the client is not authorized to use the domain in the given identity. This is implemented by appending a -all mechanism to an SPF record. When this mechanism is evaluated, any IP address will cause SPF to return a fail result.
An SPF temperror causes the email server to return a temporary failure, i.e., the corresponding SMTP command will return an appropriate 4xx status code. The client may try again later to deliver the email, depending on how the retry policy is set up.
So if you choose to use -all, the SPF result is interpreted consistently as fail across DMARC deployments/packages, while ?all and all might be interpreted differently (pass or fail) on different email servers.
Mailhardener recently started displaying a warning in the Mailhardener dashboard, and SPF validator if a domain uses an SPF 'hard' fail catch-all term (-all).We do this to warn domain administrators for the often unintended consequences of using the SPF 'hard' fail in the all mechanism.
Following this change, we got many questions from our community.Understandable, because there are many resources online which claim that -all should be used as part of good email hardening.Some of our customers also mentioned that some well-known companies and government organizations are (still) using SPF 'hard' fail.This causes understandable doubt in our push to recommend softfail over 'hard' fail.
In this article we'll try to give a concise and clear explanation on this much debated, sometimes even controversial topic.Our goal is to make our readers understand why the SPF 'hard' fail should be used with caution.We'll use the various relevant RFCs, as well as explaining several design flaws in SPF to explain why SPF 'hard' fail can cause deliverability issues.Finally, we'll explain why 'hard' fail does not add any security benefits in a modern email infrastructure, and which methods domain administrators should focus on instead.
As you can see, rfc7208 does not mandate how a fail result should be handled by a receiver.However, the most common outcome is that the receiver simply rejects the email on the SMTP level (also known as a 'bounce').
So, an email from a sender that matches a softfail () term will be accepted on the SMTP level for further evaluation, though it will have failed SPF.An email with an SPF softfail result may still be inspected for other authentication methods, such as DKIM.
This greatly simplified the processing terms for the receiver, as anything that is not an SPF pass (+), is not SPF aligned, and thus will not result in DMARC alignment.So SPF 'hard' fail (-), softfail () and even neutral (?) have the exact same effect when using DMARC.
As we have also learned, an SPF 'hard' fail (-all) is performed on the SMTP level.If the email is bounced on the SMTP level due to an SPF 'hard' fail, the receiver may not perform further evaluation of the email, ignoring DKIM and DMARC.
As we have now learned, DMARC changes the behavior of how receivers are to treat the SPF evaluation results.Simply said: any SPF result which is not an aligned pass, is a failure.So SPF 'hard' fail (-), softfail () and even neutral (?) have the exact same effect when using DMARC.
So, when DMARC is used (which all domains should) 'hard' fail will not make your domain less susceptible to unauthorized use.Because with DMARC, from a security perspective SPF 'hard' fail is identical to softfail.But from a deliverability perspective, SPF 'hard' fail is worse than softfail.
Obviously every SMTP software implementations may choose to deviate from the standards, and make their own implementation of a reputation system which checks for the SPF policy. However, the deliverability issues with SPF 'hard' fail will vastly outweigh the potential reputation benefits of obscure spam detection systems.
For Mailhardener customers, the use of -all will not affect the domain rating in your Mailhardener Dashboard, but it will display a warning to make sure you are aware of the potential problems with using -all.
We encourage domain administrators to adopt DMARC, not only does it solve many of the security issues with SPF, it will also positively affect deliverability, thus domain reputation.Remember that the whole point of email hardening is to provide the receiver with as much information as possible to make informed decisions on whether your email is spam or not.If the sender domain uses DMARC, the receiver will have a high confidence in the email being legitimate, thus counting the email towards the domain reputation (that is, unless it is spam).
Many popular email platforms (Mailchimp for example) no longer even bother with SPF alignment.This sometimes confuses first-time DMARC adopters, seeing a 0% SPF alignment rate for these services.But this is perfectly fine since they use DKIM for all emails. The DMARC pass rate will still be 100%, even though they consistently fail SPF alignment.
Again, an SPF 'hard' fail term may prevent a receiver from evaluating the DKIM signature, which means that even a fully legitimate DKIM aligned email may become undeliverable.As you have now learned, this is why SPF 'hard' fail should be avoided.The screenshot above is taken from a domain that uses SPF softfail (), had they used the SPF 'hard' fail, deliverability would have been negatively affected.
356178063d