SPF record

A Sender Policy Framework (SPF) record is a TXT record that you add to your domain to help your recipients’ email server verify where email from your domain should be coming from. This should be used in conjunction with DKIM and DMARC as SPF by itself does not fully protect you.

How it works

  1. The domain administrator creates and publishes a TXT record that specifies the mail servers that are authorized to send mail for that domain
  2. When an email server receives an email it compares the IP address of the sending mail server with the authorized IP address found in the SPF record.
  3. The receiving email server then uses the rules specified in the SPF record to accept, reject or flag the message

SPF record make up

An SPF record is defined as a single string of text. Below is an example

V=spf1 a mx ip4: include:_spf.google.com -all

The record is made up of a version, mechanisms and qualifiers

V=spf1   An SPF record always starts with this

ALL         Matches everything, used for a default like -all to match all IP not matched by prior mechanisms
A             Used when the domain name can be resolved to the sender’s address,  i.e the email server and website server as on the same IP address
IP4          Specifies an IPv4 address
IP6          Specifies an IPv6 address
MX         Used when the MX records resolve to the sender’s address
INCLUDE              References the policy of another domain.

Each of the above mechanisms can be combined with one of four qualifiers
+             for a PASS result
?              for a NETURAL results, same have no policy
~             For a SOFTFAIL, the message is accepted but tagged
–             for FAIL

The above example breaks down to the following
V=spf1  – on every SPF record
“a” “mx” “IP4” and “include:” specify the systems that are permitted to send messages for the domain
“-all” specifies that, if the previous mechanisms did not match, the message should be rejected

Leave a Reply