¶ SPF
SPF is used by receiving mail servers to verify that the mail it's looking at came from your domain.
SPF assists in:
- Improving deliverability
- Combating email spoofing
- Improving domain reputation
Servers receiving messages verify SPF by querying the domain’s Return-Path value found in the headers of the email. The recipient server uses this Return-Path to check for a TXT record in the sender’s DNS server. If SPF is in place, it will list all approved servers mail is allowed to come from. If that particular IP is not on the list, the SPF check will fail.
¶ Qualifiers and Mechanisms
- Mechanisms can be set to describe who is allowed to send mail on behalf of a domain. If those conditions are met, one of four qualifiers can be applied.
- Qualifiers are the action that is ultimately applied when a mechanism is matched. If no qualifier is listed, the default + is used. Below are the four types of qualifiers that can be used when configuring SPF email policies.
The following elements may be included within the SPF email record.
- v=spf1: This tag is always required and states the version of SPF being used. It will always be the first tag in the SPF policy.
- a: Tests the A records for the domain. If the host IP is found, it is matched. The example below uses the current domain and soft fails anything else.
- Example: v=spf1 a ~all
- all: Found at the end of the SPF email record, this specifies instructions on what to do when there is no match to the SPF record. One of the most common qualifiers uses ~all to soft fail anything that does not match. The below example allows email from a single IP address, and soft fails all other senders.
- Example: v=spf1 12.34.56.78 ~all
- mx: Using mx by itself will query the A record IP addresses of the MX record for the current domain. The mx mechanism can also be paired with a completely separate domain. Using mx allows you to update your DNS without having to modify your SPF email record. Below will query the mx records of example.com to see if there is a match.
- Example: v=spf1 mx:example.com ~all
- Include: Allows for another domain to be specified, and is often used when allowing third party services to send mail with your domain. Include mechanisms can be stacked, allowing for multiple senders. Below is an example of using include to allow for multiple sending servers.
- Example: include:_spf.google.com include:example.com ~all
- Exists: Looks to see if the A record of any specified domain exists. If the A record exists, then this passes. The domain does not have to be your own, and simply must resolve. This can be used in conjunction with macros to have the recipient query a public spam list, and fail the SPF check if the address is listed on the list. Below is an example of using a macro to query a blacklist. %{i} is a macro syntax that inputs the senders IP address and then checks to see if that address is present on the list.
- Example: v=spf1 mx -exists:%{i}.rbl.spamchecker.example.org ~all
¶ Examples
This will allow the host(s) in the A record of the MX record to send mail for the domain and deny anything else
v=spf1 mx -all