This post was going to be pretty lengthy, so I am separating it into three parts. The first part will give a quick background on SPF records and provide a simple example of one. The second will delve deeper into the options available and show example records for a variety of setups. The third will give some examples on how to actually implement the records and to test to make sure they are setup properly.
SPF Records – Part 1 – Quick Background and Simple Example
An early problem with spam was that there was no standardized way to tell if an email claiming to be from a domain was actually telling the truth. A variety of email validation systems have been tried, some of them very complex, but a clean and fairly simple method has really come to the forefront. Sender Policy Framework, or SPF, recognized that the person who controls a domain name should have the power to decide who can send emails claiming to be from the domain.
SPF records are specially formulated DNS entries that list the servers that are allowed to send email for a domain. When an email is sent via a mail server, the receiving server checks the SPF record to see if the email was sent from an IP address or host that has been authorized to send mail. That way, some random spam server can’t just send email as coming from ericbrandel.com. One thing to clarify here: these checks are made between mail servers, not between clients (like Outlook) and the mail server and, on the receiving end, the checks are made before the email reaches the user’s inbox.
This system has some pretty clear advantages:
- No cost
Now that the basics have been covered, let’s see what a simple SPF record actually looks like. Here is the SPF record for ericbrandel.com:
v=spf1 a mx -all
Not much to it, right? Well, yes and no. There is actually a lot of information packed into that little bit of text and SPF records can also be far more complex. In the above record, there are four separate pieces of information.
This simply specifies what type of record it is. It is needed because when SPF was first implemented, there was no specific SPF DNS record type, so the TXT record type was utilized. Either type can be used today, but it is still common to see no support for SPF record types. The host I use, MediaTemple, only supports TXT records.
If the domain has an address (A) record use it to try to match its IP address with that of the server that sent the email.
If the domain has a mail (MX) record use it to try to match.
The record stops processing when it reaches all. The minus sign signifies that if it has not matched, then the email should be rejected.
The SPF record has listed two hosts that are allowed to send email for that domain. If the IP address of those servers does not match the IP address of the server that the email came from, the message has failed the SPF record check.
Here’s a quick example of how this would work. Say I send an email to email@example.com from firstname.lastname@example.org. The email server receiving my message first examines what IP address the message came from and records it. It then sees that the email is claiming to come from email@example.com. It looks up the SPF record for ericbrandel.com and finds the one listed above. It first compares the previously recorded IP address to that of my domain’s address (A) record. If the IP address it recorded earlier matches the A record, the email has passed and no further processing takes place. If it does not match the A record, it then checks the mail (MX) record. If that matches, great, otherwise it continues. If it reaches -all then the previous two checks have failed and the Microsoft email server is instructed that the email is not valid.
Now, in the above example the Microsoft mail server is under no obligation to discard the email. It can still decide that it is a valid message, but it probably is not wise for it to do so.
That’s the end of Part 1. The next post will cover some more example SPF records and why you would set things up differently than the simple record I have shown above.
Update: SPF Records – Part 2a is now live.