Your SPF Record Is an Attacker's Roadmap
A single DNS record reveals your high-value vendors, email infrastructure, and the trust relationships an attacker can exploit.

Before a red team sends the first pretexted email, we read the DNS. We aren't looking for server addresses or MX records, not at first. We are looking for a declaration of trust, publicly accessible and globally replicated, that spells out a company's most critical business relationships. We're looking for their SPF record.
This humble TXT record, defined in RFC 7208, is intended to be a security control—a way for a domain owner to declare which mail servers are authorized to send email on their behalf. But for an attacker, it's something more. It's a blueprint of your technology stack, a vendor list, and a map of your operational dependencies.
Every `include` mechanism in that record is a thread to pull. And operators are getting very, very good at pulling them.
The SPF Record as a Technology Blueprint
At its core, Sender Policy Framework (SPF) is a simple concept. A receiving mail server looks up the SPF record for the domain found in the SMTP `MAIL FROM` command. It then checks if the connecting client's IP address matches the policy. If it matches, the check is a `pass`. If not, it's a `fail`, `softfail`, or other error. Simple.
But the power—and the exposure—lies in *how* you define that policy. You can use mechanisms like `ip4`, `ip6`, `a`, and `mx` to specify your own infrastructure. That's fine. The real intelligence comes from the `include` mechanism. When you authorize a third party to send email for you, you don't list their IPs directly. Instead, they tell you to add something like `include:servers.mcsv.net` (Mailchimp) to your record. You are, in effect, importing their SPF policy into your own.
This creates a public, machine-readable list of your service providers. It’s an act of delegation. You are telling the world, "I trust any server authorized by this other domain to speak for me." For an OSINT analyst or attacker, this is pure gold. It's a directory of who you do business with.
Deciphering the Vendor List
Not all `include`s are created equal. Some reveal far more about a target's internal operations than others. An operator doesn't just see a list of hostnames; they see a menu of potential attack vectors.
High-Value Targets in Plain Sight
Look at an SPF record. Do you see `include:_spf.google.com`? The target uses Google Workspace. `include:spf.protection.outlook.com`? Microsoft 365. These are foundational, but expected. The interesting ones are more specific. `include:mail.zendesk.com` tells you they use Zendesk for customer support. This means support agents, ticketing systems, and customer data. An attacker now knows they can craft a plausible phish around a fake support ticket notification.
Seeing `include:mktomail.com` reveals a Marketo integration. This points to marketing automation, lead generation, and potentially a connection to a CRM. A phish themed around a "new lead assignment" or a "marketing campaign report" becomes instantly more credible. What about `include:salesforce.com`? That's the crown jewel, suggesting a deep investment in a sales platform that likely houses sensitive customer and pipeline information.
v=spf1 include:_spf.google.com include:mail.zendesk.com include:servers.mcsv.net ~all
Chasing the `include` Chain
It gets deeper. An SPF record is limited to 10 DNS lookups to resolve fully. This is a key constraint from RFC 7208 meant to prevent denial-of-service attacks against receivers. But those 10 lookups can form a chain. Your `include:servers.mcsv.net` might itself contain another `include`, which contains another. An attacker will recursively resolve every `include` and `redirect` until they hit the IP addresses or the lookup limit. This process maps out not just your direct vendors, but your vendors' vendors, painting an even richer picture of the software supply chain.
Pivoting from `include` to Attack
Enumerating vendors is just the first step. The real goal is to find the weakest link in that chain of trust and exploit it. Reconnaissance gives you the 'what'; the next phase is figuring out the 'how'.
Searching for the Path of Least Resistance
With a list of five, ten, or even fifteen third-party services, an attacker can start hunting. They'll ask questions like: Which of these services has a history of breaches? Which one has a login portal that's easy to spoof? Which one is a smaller company with a less mature security program? The attacker isn't trying to breach your target's perimeter directly; they're looking to compromise an account on a trusted third-party service and use that legitimate access to send a malicious email.
That email will pass SPF, because it's coming from an authorized server. It will likely pass DKIM (RFC 6376) because the service is signing it. And if the service's domain is aligned with the `From` header, it might even pass DMARC (RFC 7489). This is the essence of a Business Email Compromise (BEC) attack that leverages a trusted third party.
Crafting the Hyper-Contextual Phish
The SPF record provides the context needed for a highly effective social engineering attack. Instead of a generic "Your invoice is attached" email, an attacker who sees `include:salesforce.com` can send a phish that says, "A new opportunity has been assigned to you in Salesforce. Click here to view." The link points to a perfect pixel-for-pixel clone of the Salesforce login page. The specificity disarms the user. They expect to receive notifications from Salesforce, so the request seems legitimate. They were a target not because of who they are, but because of the software their company uses—software that was advertised in a public DNS record.
SPF Minimization: The Only Real Defense
So, how do you defend against this reconnaissance? The unfortunate answer is that you can't fully prevent it. The very nature of SPF requires this information to be public. However, you can and absolutely should control what you broadcast.
The Futility of Obfuscation
Some administrators attempt to 'obfuscate' their SPF records. They might create a subdomain, like `_spf.mydomain.com`, and publish a record there that contains all the real `include` mechanisms. The primary domain's SPF record then just points to this subdomain with `include:_spf.mydomain.com`. This adds one hop to the process. An attacker will find it in seconds. This isn't a security control; it's a minor inconvenience that complicates your own DNS management.
Audit, Minimize, and Enforce
The real defense is good hygiene. Your SPF record is an attack surface. Minimize it. You must treat every `include` as a potential liability. Set up a quarterly review of your SPF record. Ask the hard questions. Do we still use this service? Was this vendor for a short-term project that's now over? Is this marketing platform still active? If you can't justify an entry, remove it. A lean SPF record is a sign of a well-administered, security-conscious organization.
Ultimately, your best defense is a strict DMARC policy (`p=reject`). While it doesn't stop an attacker from seeing your vendors, it significantly raises the bar for exploitation. If they manage to compromise an account on that third-party service, DMARC ensures their malicious emails (if the `From` header is misaligned) are rejected outright. This combination of a minimal SPF record and an enforced DMARC policy is the standard for modern email defense.
The takeaway
Stop thinking of your SPF record as a set-it-and-forget-it configuration. It is a living document that advertises your trust relationships to the world. A bloated record with a dozen `include` mechanisms isn't a sign of a complex business; it's a sign of unmanaged risk.
The intelligence is public. Attackers are reading it. The only question is whether you are reading it with the same critical eye. Regular auditing of your authorized senders, facilitated by tools that can fully expand and analyze your SPF, DKIM, and DMARC policies like MailSleuth.AI, is no longer optional—it's a critical part of managing your external attack surface.
We dissect phishing campaigns and email infrastructure so you don't have to.


