SPF Records Explained: What Are They?
An SPF record is now required for reliable email delivery. It protects your emails from being faked. This protects you against phishing scams and trollers.
An SPF record is now required for reliable email delivery. It protects your emails from being faked. This protects you against phishing scams and trollers.
TXT is a DNS resource record. It is usually used to notify external sources about the domain. It's required for email security.
For example, a server sends an email to your ISP. The ISP can utilize an SPF record to validate the email. This record lists the domain's dedicated servers. So your ISP can reveal the source of an email and detect a forgery. It is a fundamental but not the sole protocol for email authentication.
What are email authentication standards?
Not even SMTP can shield you from spoofing, phishing, and spam. It lacks a feature to identify an email's origin and authenticate its url.
SPF, DKIM, and DMARC are frequently used to authenticate emails. They each do the following:
- SPF verifies the email's IP address.
- DKIM verifies the message's signature using keys.
- DMARC encloses both methods.
When may you require SPF?
Implement Sender Policy Framework if your digital product transmits transactional messages. So far, internet service providers require this. Your ISP may use secondary email screening if your SPF record is invalid or erroneous. If SPF syntax validation fails, your email may be marked as spam or banned.
SPF deters spammers and phishers by detecting fake emails. It protects your brand's reputation. To finalize, full email authentication (SPF + DKIM + DMARC) should be implemented.
How does SPF work?
Generally, the SPF involves the following steps:
- Making an SPF record This sets up an authentication policy and defines which mail servers can send emails from a domain.
- DNS check The DNS verifies an incoming message. The "envelope from" address should be the domain name. The inbound server then validates the SPF record for the sender's IP address. SPF authentication fails if it doesn't match any address in the record.
- Authentication result The mail server delivers, flags, or rejects the message according to the SPF record.
Myths about SPF
SPF is necessary but not sufficient to prevent spoofing. To properly use the framework, be aware of the following myths.
- Full domain spoofing protection
- SPF provides immediate anti-spam protection.
- SPF verifies the sender.
- SPF record per approved domain
- Authentication with DKIM is sufficient.
How do you create an SPF record for my domain?
Step 1: Prepare
Collect all permitted SPF mail servers and IP addresses.
Step 2: DNS management
Find the TXT record area in your ISP's DNS control panel.
Step 3: SPF log
Begin with v=spf1. Then v=spf2, v=spf3, etc.
Enter all approved IP addresses here:
ip4:35.167.41.421 ip6:2a13:c025:e4:7a01:bc72:dcb5:7a13
Mark each third-party email service as a trusted sender with the include tag:
sendgrid.net or mandrillapp.com
Add qualifiers or modifiers to the SPF record.
The all-tag usually closes the record.
-all
– all unknown servers are prohibited (emails will be rejected).
Not allowed servers will be noted and accepted.
+any
– allowed servers.
The most common SPF record looks like this:
"v=spf1 a"
All A and MX records on this domain can send emails. Anything above that will be rejected.
SPF Record Syntax
Let's start with a simple SPF record.
"v=spf1 +a"
The rest are Processes, Qualifiers, and Modifiers to specify distinct SPF check rules. Here is what you can set up in your SPF record.
Qualifier | Purpose | Implementation |
---|---|---|
+ | Accept. The host is allowed to send a message | + |
– | Reject. The host is not allowed to send a message | – |
~ | Accept but mark. The host is not allowed to send a message but is in transition (the mechanism is for testing purposes) | ~ |
? | Accept. The host validity is unstated | ? |
Mechanism | Purpose | Implementation |
---|---|---|
a | Defines the DNS A record of the domain as authorized. If unspecified, the current domain is used | aa/a:a:/ |
all | Defines policy for all other sources | all |
exists | Checks validity of an A record for a provided domain | exists: |
include | Includes the specified domain as authorized. If the domain does not have a valid record, you'll get 'permerror' | include: |
ip4 | Defines the IPv6 network range. Can be used with prefix, which denotes the range length. If no prefix is specified, /32 is the default | ip4:ip4:/ |
ip6 | Defines the IPv6 network range. Can be used with prefix, which denotes the range length. If no prefix is specified, /128 is the default | ip6:ip6:/ |
mx | Defines the DNS MX record of the domain as authorized. I.e., the message must be sent by one of the domain's incoming mail servers. | mxmx/mx:mx:/ |
ptr [deprecated] | Defines the reverse hostname and subdomain of the sending IP address. | ptrptr: |
Modifier | Purpose | Implementation |
---|---|---|
exp | Specifies the explanation that a sender will see if the message has been rejected | exp= |
redirect | Replaces domain with the current record | redirect= |
SPF record downsides
- Changing ISPs or adding mail streams complicates updating SPF data.
- SPF by itself does not ensure authenticity.
- There is a possibility of disrupting SPF records regarding plain message forwarding.
Bottom line
As a parting shot, please note:
- An SPF record string cannot exceed 255 characters. Multiply records if needed
- Some DNS services don't require quotes around record data. Prioritize it
- Subdomain records must be designated accordingly.
- To avoid overloading the DNS, the broad variety of methods should be capped to 10.