SPF Records – creating and testing

As a DNS service provider, we frequently receive requests from customers who need assistance with understanding and creating SPF records. This short article outlines a few helpful steps that will hopefully make life easier for some.

First, what is an SPF record anyway?

Well, Wikipedia sums it up nicely: SPF (Sender Policy Framework) is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Doman Name System (DNS). Mail servers use DNS to ensure mail from a given domain is being sent by a host allowed by the owner of that domain.

Here is an example of what an SPF TXT record looks like in DNS:

example.com. IN TXT “v=spf1 mx a ip4: ip4: -all”

The above example is a TXT record. While there has been discussion about deprecating the SPF record type, we currently suggest creating the same record for both TXT and SPF in our user interface.

As you’ll see, this record has several components. v=spf1 is always at the beginning and is pretty much required, so start with that. After that you see that there is MX and A. The MX states that any MX record you have created for the domain is authorized to send email. The A designates that any A record you’ve created for the domain is also authorized to send email. You could also define PTR here too which means if an IP that sends mail has a PTR record resolving to the domain, it will be permitted as well. We don’t recommend that, however, since it could be easily spoofed by almost anyone since all they need to do is create a reverse DNS / PTR record for an IP address they have control of to be your domain name.

The IP4 items simply indicate single or blocks of IP addresses that are allowed to send mail. This is most commonly used, and is quick for mail servers to validate against.

At the end of the SPF record you’ll see the -all qualifier. This should always be included, except with the appropriate symbol. In this case the – sign indicates that anything other than what you’ve listed in the record should be rejected, so the – means FAIL. If you want to SOFT FAIL, change the – to ~ instead. With the SOFT FAIL, email will typically be accepted still, but tagged.

If the syntax seems too difficult to create on your own, there are some handy tools out there that will ask you a few key questions, and then will create an SPF record for you. One such handy tool can be found here: http://www.spfwizard.net/

SPF Record Gotchas

There are a few key SPF gotchas to keep in mind. Unless you know about them, your SPF creating efforts will be in vain.

  1. There is a 255 character limit to your SPF record, whether created as an actual SPF record or a TXT record. So count your characters and adjust accordingly.  If you need to include more blocks of IP addresses than 255 characters will allow, you can use the include option.  Simply add to your SPF record include:more_1.example.com. In this case, you would create another SPF/TXT record for “more” and then place an additional block of 255 characters in there. You could add a bunch by doing include:more_1.example.com include:more_2.example.com and so on. But be careful, there is another limit! Read below:
  2. There is a 10 DNS query limit for your SPF record.  When the receiving mail server pulls your SPF record, it will make a maximum of 10 additional DNS lookups. Every include: entry, AMXPTR will require a DNS lookup, so be careful. If there are more than 10, the record will error out and will act as if you’ve never created one. There is a handy tool at http://emailstuff.org/authentication that will help you determine how many DNS lookups take place. Enter your domain and click ‘check’. Then, on the results page, click the DNS tab. Count all of the orange query listings to see how many there are.

Is SPF the Golden Ticket to email deliverability?

Some think that having an SPF record guarantees email deliverability. Sadly, this is not the case. Many organizations don’t even look for SPF records, and others that do, only use them for tweaking the spam ranking of an email. But it certainly won’t hurt to create one, and it should help prevent some spoofing of your domain, so why not. Even if it improves email deliverability by 1% or reduces email spoofing of your domain by 1%, it is a worthwhile effort.

SPF Record Testing Tools

Here are a few links to some VERY handy SPF record testing tools:

MX Toolbox has a nice tool where you can enter your domain name and it will run a test, giving you the results neatly broken down and whether or not your record passes.

Kitterman has a pretty comprehensive one as well: http://www.kitterman.com/spf/validate.html

Prevent your next outage now!


Other articles you might like to read: