SPF Records And How To Configure Your Domain To Combat Spam

29th May 2019 Andrei Braganza

Email is based on SMTP which stands for Simple Mail Transfer Protocol. This protocol offers no protection on the From field in an email. It only states that it has to be a valid email address. This can lead to someone spoofing the From field and sending an email on your behalf. This is where SPF Records come into play.

A Sender Policy Framework (SPF) Record is a DNS TXT record, that specifies which mail servers are allowed to send emails on behalf of your domain. This allows Spam Filters to easily check if the origin of an email is from an authorized domain.

The sequence of events of how a mail server checks SPF records is as follows:

  • A server with IP address for example 199.3.2.1, sends an email from john@sender.com to wick@receiver.com.
  • The receiver․com mail server gets the DNS records of type TXT for sender․com and looks up the SPF record.
  • The receiver․com mail server compares the sending IP address which is 199.3.2.1 against the parts of the SPF record.
  • The message is either accepted or rejected based on which parts of the SPF record the sending IP address matches.

The above image is what a SPF record looks like. It is made up of the version, mechanisms and their corresponding qualifiers.

Version

The version is pretty straightforward, it indicates the SPF version that is used and it is currently always set to spf1.

Mechanism

The mechanisms are checked left to right and specify the different rules for the domain.

The a mechanism specifies that if the message is sent from an IP address that matches the A Record of the domain, then the mechanism will pass.

The mx mechanism species that if the message is sent from an IP address that matches the MX Record, which is the Mail Exchange record, then the mechanism will pass.

The include mechanism points to a domain to be queried, when checking if the sending IP address is allowed or not. If the sending IP address is part of the include mechanism then it results in a match and the mechanism will pass. include:_spf.google.com is a common include when setting up G Suite on your domain. Once G Suite is setup and an email is sent, the sending IP address will be a Google IP address and the mechanism will pass as you have authorized Google to send on your behalf and the sending IP address is found inside of the include mechanism.

The all mechanism will match against everything and in this case the result will be a Soft Fail because of the qualifier, which is explained in the qualifier section below.

Qualifiers

Qualifiers are prefixes to mechanisms which describe the action to be taken when an IP address is matched. The default qualifier is +. The different types of qualifiers are listed below:

  • + Pass, an IP address that matches a mechanism with this qualifier will pass the SPF check.
  • - Fail, an IP address that matches a mechanism with this qualifier will fail the SPF check.
  • ~ Soft Fail, an IP address that matches a mechanism with this qualifier will Soft Fail the SPF check, which means that the receiving server should accept the mail, but mark it as an SPF failure.
  • ? Neutral, an IP address that matches a mechanism with this qualifier will neither pass or fail the SPF check.

Lastly, you do not need an SPF record on your server to check incoming emails against SPF policies published on other servers. But it is considered a good practice to setup an SPF record, to let other mail servers which use SPF filtering check emails that maybe associated with your domain.

Please enable Javascript to view this site properly.