Network Security - DNS Domains with SPF configured¶
Description¶
The percentage of DNS domains with email configured that has an SPF record created in the DNS zone.
How we measure it¶
Query all DNS domains. For every domain that has an MX record, check if the SPF record has been created.
Meta Data¶
| Attribute | Value |
|---|---|
| Metric id | ns_domains_with_spf |
| Category | Network Security |
| SLO | 95.00% - 99.00% |
| Weight | 0.5 |
| Type |  |
References¶
| Framework | Ref | Domain | Control |
|---|---|---|---|
| ISO 27001:2022 | A.8.20 | 8 Technological controls | Networks security |
| CIS 8.1 | 9.2 | Email and Web Browser Protections | Use DNS Filtering Services |
| CIS 8.1 | 9.3 | Email and Web Browser Protections | Maintain and Enforce Network-Based URL Filters |
| CIS 8.1 | 12.6 | Network Infrastructure Management | Use of Secure Network Management and Communication Protocols |
| NIST CSF v2.0 | PR.DS-01 | Data Security (PR.DS) | PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected |
Code¶
SELECT
domain AS resource,
'domain' as resource_type,
CASE
when mx == [] then 1
when cast(txt as string) like '%v=spf1%' then 1
else 0
end as compliance,
CASE
when mx == [] then 'No MX record found - assumed no email'
when cast(txt as string) like '%v=spf1%' then 'SPF record found'
else 'MX record found, but no SPF record'
end as detail
FROM
{{ ref('domains') }}