As a DNS service provider, we frequently receive requests from customers who need assistance with understanding and creating SPF records. This short article outlines a few helpful steps that will hopefully make life easier for some.
Well, Wikipedia sums it up nicely: SPF (Sender Policy Framework) is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Doman Name System (DNS). Mail servers use DNS to ensure mail from a given domain is being sent by a host allowed by the owner of that domain.
Here is an example of what an SPF TXT record looks like in DNS:
example.com. IN TXT “v=spf1 mx a ip4:192.0.2.0/24 ip4:198.51.100.123 -all”
The above example is a TXT record. While there has been discussion about deprecating the SPF record type, we currently suggest creating the same record for both TXT and SPF in our user interface.
As you’ll see, this record has several components. v=spf1 is always at the beginning and is pretty much required, so start with that. After that you see that there is MX and A. The MX states that any MX record you have created for the domain is authorized to send email. The A designates that any A record you’ve created for the domain is also authorized to send email. You could also define PTR here too which means if an IP that sends mail has a PTR record resolving to the domain, it will be permitted as well. We don’t recommend that, however, since it could be easily spoofed by almost anyone since all they need to do is create a reverse DNS / PTR record for an IP address they have control of to be your domain name.
The IP4 items simply indicate single or blocks of IP addresses that are allowed to send mail. This is most commonly used, and is quick for mail servers to validate against.
At the end of the SPF record you’ll see the -all qualifier. This should always be included, except with the appropriate symbol. In this case the – sign indicates that anything other than what you’ve listed in the record should be rejected, so the – means FAIL. If you want to SOFT FAIL, change the – to ~ instead. With the SOFT FAIL, email will typically be accepted still, but tagged.
If the syntax seems too difficult to create on your own, there are some handy tools out there that will ask you a few key questions, and then will create an SPF record for you. One such handy tool can be found here: http://www.spfwizard.net/
There are a few key SPF gotchas to keep in mind. Unless you know about them, your SPF creating efforts will be in vain.
Some think that having an SPF record guarantees email deliverability. Sadly, this is not the case. Many organizations don’t even look for SPF records, and others that do, only use them for tweaking the spam ranking of an email. But it certainly won’t hurt to create one, and it should help prevent some spoofing of your domain, so why not. Even if it improves email deliverability by 1% or reduces email spoofing of your domain by 1%, it is a worthwhile effort.
Here are a few links to some VERY handy SPF record testing tools:
MX Toolbox has a nice tool where you can enter your domain name and it will run a test, giving you the results neatly broken down and whether or not your record passes.
Kitterman has a pretty comprehensive one as well: http://www.kitterman.com/spf/validate.html
In the early days of the Internet, humans and other computers located the few massive interconnected computers the same way: by their numeric Internet Protocol (IP) addresses. Soon, the impracticality of memorizing all these numbers became obvious and a rudimentary naming scheme was developed. A central repository of names and their associated IP addresses was […]
A service provider that offers software-as-a-service or another cloud-based solution should understand what customers are looking for and what compels those very customers to choose an off-premise, “cloud-based” solution vs. the more traditional on-premise, self-hosted solution. As a cloud service provider ourselves, we set out to understand how our customers went about choosing one service […]
If you are a network administrator, you really want to get a handle on your network. But even laymen sometimes need to figure out what’s going on. There are some basic tools that will help you do that. Let’s have a look at some simple pieces of software that can be accessed from nearly any […]
One of Total Uptime’s largest assets is our global cloud platform, deployed in dozens of datacenters around the world with incredible cloud based routing capacity. This platform gives our customers the ability to control and route traffic between the client and the datacenter, in the middle of the Internet. As you can imagine, this provides a […]