A Sender Policy Framework (SPF) record is a TXT record that you add to your domain to help your recipients’ email server verify where email from your domain should be coming from. This should be used in conjunction with DKIM and DMARC as SPF by itself does not fully protect you.
How it works
- The domain administrator creates and publishes a TXT record that specifies the mail servers that are authorized to send mail for that domain
- When an email server receives an email it compares the IP address of the sending mail server with the authorized IP address found in the SPF record.
- The receiving email server then uses the rules specified in the SPF record to accept, reject or flag the message
SPF record make up
An SPF record is defined as a single string of text. Below is an example
V=spf1 a mx ip4:103.24.1.3 include:_spf.google.com -all
The record is made up of a version, mechanisms and qualifiers
Version
V=spf1 An SPF record always starts with this
Mechanisms
ALL Matches everything, used for a default like -all to match all IP not matched by prior mechanisms
A Used when the domain name can be resolved to the sender’s address, i.e the email server and website server as on the same IP address
IP4 Specifies an IPv4 address
IP6 Specifies an IPv6 address
MX Used when the MX records resolve to the sender’s address
INCLUDE References the policy of another domain.
Qualifiers
Each of the above mechanisms can be combined with one of four qualifiers
+ for a PASS result
? for a NETURAL results, same have no policy
~ For a SOFTFAIL, the message is accepted but tagged
– for FAIL
The above example breaks down to the following
V=spf1 – on every SPF record
“a” “mx” “IP4” and “include:” specify the systems that are permitted to send messages for the domain
“-all” specifies that, if the previous mechanisms did not match, the message should be rejected