Cloudflare zones are assessed for SPF (Sender Policy Framework) records by checking if a TXT record exists that specifies which mail servers are authorized to send email on behalf of the domain, and verifies that the record uses a strict policy (-all) to reject unauthorized senders.
Risk
Without SPF or with a permissive policy (~all, ?all, +all), attackers can forge emails from your domain. Phishing attacks can harvest sensitive information from recipients who trust spoofed emails. Brand reputation is damaged by fraudulent emails. ~all only marks emails as suspicious without rejecting them.
prowler cloudflare --checks zone_record_spf_exists
Recommendation
Configure SPF records with strict policy (-all) listing authorized mail servers.
- SPF records start with
v=spf1and define authorized senders - Use
-all(hardfail) to reject emails from unauthorized servers - Avoid
~all(softfail) in production as it only marks suspicious emails but does not reject them - Use
include:to authorize third-party mail services - Combine with DKIM and DMARC for comprehensive email authentication
- Test SPF records using online validators before deployment
Remediation
- Log in to the Cloudflare dashboard and select your account and domain
- Go to DNS > Records
- Click Add record
- Select TXT as the record type
- Enter @ for the Name field
- Enter your SPF record with strict policy (e.g., v=spf1 include:_spf.google.com -all)
- Click Save
Source Code
Resource Type
Zone