Today, an SPF record is a must-have DNS record for reliable email delivery. It is a type of email authentication to protect your emails from being forged. This secures your reputation from phishers and spoofers. Find out more about the Sender Policy Framework to increase the credibility of your product.
One of the DNS resource records is TXT. It is mostly used to denote facts about the domain and provide information to outside sources. It’s a must-have for email authentication. For example, an email comes from a server to your internet service provider (ISP). ISP can authenticate the email using a dedicated TXT type record, SPF record. This record contains data about the trusted servers authorized by your domain so, your ISP can identify a source an email is coming from and detect a forged email. SPF or Sender Policy Framework is a primary (but not the only) way to authenticate your email.
SMTP can’t protect your app from frauds such as email spoofing, phishing, and spam. It lacks a feature to identify the origin of an email message and validate its domain. Instead, email authentication can do the job.
There are three widely adopted standards to authenticate emails: SPF, DKIM, and DMARC. In brief, each of them does the following:
SPF, DKIM, and DMARC differ in technical implementation, butthey all draw on DNS records. You can also encounter other authentication methods like ADSP, Sender ID, iprev, and so on. Some of them are either unclaimed or have been deprecated.
Sender Policy Framework appeared officially as an experimental standard in 2006. Eight years later, SPF was approved as a proposed email authentication standard.
In plain English, SPF is a protocol according to which the mail servers decide whether to receive or reject an incoming email. The decision is made using the SPF information in TXT records as for the list of authorized IP addresses within a particular domain. If the email has been sent from one of these addresses, it’s not forged and can be let in.
If your digital product sends transactional or even commercial messages, make sure to implement Sender Policy Framework. This is currently required by internet service providers. If you don’t have a valid SPF record, or it is incorrect, your ISP might run secondary email filtering. Failed SPF authentication means that your email will be recognized as spam or even blocked.
SPF scares off spammers and phishers by filtering out forged emails. It keeps your product reputation spotless. But, to complete the picture, it is better to implement a full-scale email authentication (SPF + DKIM + DMARC).
SPF is a necessary measure but it is not a silver bullet against spoofing. Make sure you are aware of the following misconceptions so you can use the framework correctly.
SPF works with the envelope-from address (return pass) of email. It is invisible to the user unlike the header-from address, which refers to the message content. Hence, an SPF record can’t protect the visible address of the sender.
The framework leverages spam filtering systems to check emails. Also, it protects against forged messages from a specific domain. However, it does not offer significant improvements in terms of fighting spam.
Actually, the mail server sending a message is being authorized according to the SPF record. So, the framework works at the domain level.
Keep in mind that you can only have one SPF record. Otherwise, you’ll get ‘permerror’- an error indicating that the retrieved SPF policy record could not be interpreted.
Even if you have all the messages authorized according to DKIM, you still need an SPF record to identify the domain. Moreover, the Sender Policy Framework is required within cloud services and IPv6 networks. So, the best way to combat spoofing and secure your email is to implement SPF, DKIM, and DMARC.
In general, the SPF in action consists of the following steps:
For example, a server with IP address ‘22.214.171.124’ has sent an email from ‘firstname.lastname@example.org’. During the SPF check, the inbound server will request the ‘apple.com’ domain if this IP address is authorized to send the email. If yes – welcome, if not – the message will be sorted according to the mechanism specified in the SPF record.
First, let’s anatomize a simple SPF record example.
“v=spf1 +a +mx redirect=example.com -all”
v = spf1 is a version number of the current record, and the rest are Mechanisms, Qualifiers, and Modifiers to specify different rules of SPF check. Here is what you can set up in your SPF record.
|+||Accept. The host is allowed to send a message||+|
|–||Reject. The host is not allowed to send a message||–|
|~||Accept but mark. The host is not allowed to send a message but is in transition (the mechanism is for testing purposes)||~|
|?||Accept. The host validity is unstated||?|
|a||Defines the DNS A record of the domain as authorized. If unspecified, the current domain is used||aa/<prefix-length>a:<domain>a:<domain>/<prefix-length>|
|all||Defines policy for all other sources||all|
|exists||Checks validity of an A record for a provided domain||exists:<domain>|
|include||Includes the specified domain as authorized. If the domain does not have a valid record, you’ll get ‘permerror’||include:<domain>|
|ip4||Defines the IPv6 network range. Can be used with prefix, which denotes the range length. If no prefix is specified, /32 is the default||ip4:<ip4-address>ip4:<ip4-network>/<prefix-length>|
|ip6||Defines the IPv6 network range. Can be used with prefix, which denotes the range length. If no prefix is specified, /128 is the default||ip6:<ip6-address>ip6:<ip6-network>/<prefix-length>|
|mx||Defines the DNS MX record of the domain as authorized. I.e., the message must be sent by one of the domain’s incoming mail servers.||mxmx/<prefix-length>mx:<domain>mx:<domain>/<prefix-length>|
|ptr [deprecated]||Defines the reverse hostname and subdomain of the sending IP address.||ptrptr:<domain>|
|exp||Specifies the explanation that a sender will see if the message has been rejected||exp=<domain>|
|redirect||Replaces domain with the current record||redirect=<domain>|
Now, let’s put this knowledge into practice.
v=spf1. Next versions will be
-all– all unspecified servers are not authorized (emails will be rejected).
~all– all unspecified servers are not authorized, but emails will be marked and accepted.
+all– any server is authorized (quite undesirable option).
This is how the most common SPF record looks like:
"v=spf1 a mx -all"
Here, all A and MX records in this domain are authorized to send emails. Emails from anything beyond will be rejected.
Let’s say you have a primary domain – alpha.net with a record like this one
v=spf1 a mx -all. and you need to make an SPF record for multiple domains like beta.net and gamma.net?
The “include” mechanism allows you to designate other domains that are independent from your primary one. For example, alpha.net might send mail using beta.net and gamma.net.
v=spf1 include:beta.net include:gamma.net -all
Also, you can point to your primary domain by adding include:alpha.net in SPF records of your secondary domains:
v=spf1 include:primary-domain.com -all
This will apply the rules from the primary domain for the secondary ones.
Keep in mind that you cannot have more than one TXT record for SPF for a domain.
What if your SPF record looks like this?
v=spf1 a mx a:mail.alpha.com a:first.alpha.net a:second.alpha.org mx:third.domain.net ip4:126.96.36.199 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e include:sendgrid.net include:mandrill.com -all
It matches the requirement of 255 characters per string, but still it is very long. Hence, you can split it into several records that will be included in the main SPF record. Here is how it may go:
v=spf1 a mx a:mail.alpha.com a:first.alpha.net a:second.alpha.org mx:third.domain.net -all
v=spf1 ip4:188.8.131.52 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e -all
v=spf1 include:sendgrid.net include:mandrill.com -all
v=spf1 include:spf1.alpha.com include:spf2.alpha.com include:spf3.alpha.com -all
That’s it. All these records will be checked as one after the DNS update.
The last thing we advise you to do is to validate your SPF record. Luckily, there are a bunch of actionable tools like SPF Record Check or SPF Syntax Validator. This will troubleshoot your record and prevent the annoyance in the future.
You can create and manage your SPF records using a respective console or control panel of your DNS provider. Some services give detailed instructions or guides on how to create TXT records. Below, you’ll find links to the guides of some top-rated providers.
Also, we’ve collected a list of SPF specs for popular email providers so you can copy and paste them into your TXT record.
|Email service provider||SPF record|
|Gmail||v=spf1 include:_spf.google.com ~all|
|Sendgrid||v=spf1 include:sendgrid.net ~all|
|MailChimp||v=spf1 include:servers.mcsv.net ?all|
|Mandrill||v=spf1 include:spf.mandrillapp.com ?all|
|Mailgun||v=spf1 include:mailgun.org ~all|
Here is a short list of common problems (and their basic solutions) one may encounter while trying to validate SPF records.
Once you’ve set up your SPF record, you can proceed to DKIM and DMARC protocols to make your email security and marketing campaigns a cut above the rest.
Thanks for reading our guide that was originally published on Mailtrap Blog: https://mailtrap.io/blog/spf-records-explained/