SPF
SPF
- SPF (Sender Policy Framework) is a mechanism that identifies email servers that are authorized to send email from your domain.
- Uses a TXT or SPF record on your DNS host/nameserver
- Recipients perform a DNS lookup to confirm the sender.
- If the SPF record is missing, or the sender is not authenticated, the message will fail and may not be delivered.
- Each sending mail server/domain must be identified
- This can be directly via IP or through a domain lookup
- SPF is limited to 10 DNS lookups; going over 10 causes a
PermError
- SPF is limited to 10 DNS lookups; going over 10 causes a
- It is not recommended to identify marketing services, like Mailchimp or Sendgrid, in SPF
- Due to the high volume of email they send and the number of distinct email servers they use to get around spam restrictions, you can't identify an IP address and domain look-ups can timeout and cause problems for authentication
- This can be directly via IP or through a domain lookup
- Provides Authentication and Authorization
SPF Implementation
Honestly, the syntax guide on Open-SPF is phenomenal, but here's a breakdown of a typical record[1] for quick reference.
The SPF record is processed in order; as soon as an email is matched to one of the rules, it stops getting processed and passes or fails the check.
The name of the SPF record designates the domain its being applied to; it can be @ or the current domain to reference the domain itself (e.g. example.com) or a subdomain like mail.example.com.
- Name:
@@- Designates the domain to which the SPF record applies;
@is the current top-level domain (e.g.,example.com) - Can also use a subdomain, like
mailormail.example.com, with formatting depending on your DNS host.
- Designates the domain to which the SPF record applies;
- Value:
v=spf1 +a mx ip4:123.45.67.89 a:contoso.com include:mail.example.com -allv=spf1- Version = SPF 1
+a- The
+is a qualifier that says what to do if an email matches that value; here are a few of the most common ones.+= Pass, the host is allowed to send; this is the default, and does not need to be explicitly written out and I only put it here for demonstration purposes-= Fail, the host is not allowed to send~= SoftFail, transitioning away from the host and not allowed to send, but authentic mail still come from that host
- The
atells the recipient to check the current domain's DNS for A records (e.g., IPv4 addresses) and mark them as designated senders- You might also see
aaaato designate an IPv6 address
- You might also see
- The
mx- Check the current domain's DNS for MX records and mark them as designated senders
- Note: Since the default mechanism is
+, it does not need to be explicitly written out
- Note: Since the default mechanism is
- Check the current domain's DNS for MX records and mark them as designated senders
ip4:123.45.67.89- Designates the IP address
123.45.67.89as an authorized sender
- Designates the IP address
a:contoso.com- Checks
contoso.comfor A records[2] and designates them as senders
- Checks
include:mail.example.com- Checks
mail.example.comfor its own SPF record and includes that in the SPF record lookup - Be careful as this can bring you much closer to the 10 DNS lookup limit and cause a
PermError
- Checks
-all- Fail All hosts that have not been matched to this point in the record
- Because this is the last entry, any mail that is authenticated by one of the earlier entries will get through, and everything else is failed
- Similar to Firewall configuration where the last rule is often
deny any any
- Because this is a Fail qualifier, it has to be manually written out as
-
- Fail All hosts that have not been matched to this point in the record
Metadata
Sources
SPF: Project Overview
SPF: SPF Record Syntax