What is an SPF record?
Picture Courtesy Microsoft
What is an SPF Record?
An SPF (Sender Policy Framework) record is used to indicate which hosts are authorised to send emails for a domain. It is defined in RFC 4408 and clarified by RFC 7208. When a server sends spam using your domain name, the receiving servers may check your domain’s DNS to see if it has an SPF record and if the sending server’s IP is permitted to send emails on behalf of your domain. If the mail came from a SPF-listed source then the email is processed normally. If the mail did not originate from a server in the SPF list then the message is instantly rejected per the receiving server’s policies.
SPF record format
SPF records are typically defined using the TXT record type. There is also an SPF record type, however it is deprecated and thus you should always have at least the TXT record definition present. SPF records are defined as a single string of text.
Example record: yourdomain.com. IN TXT ” v=spf1 a mx ip4:63.14.25.08 include:mail-postboxservices.com ~all” Breaking the SPF record down:
yourdomain.com – The domain that the SPF record applies to
- IN TXT – The DNS zone record type. SPF records are written as TXT record types.
- v=spf1 – Identifies the TXT record as an SPF record.
- a – Lists the domain’s primary A record as approved to send e-mail.
- mx – Lists the domain’s MX record(s) as approved to send e-mail.
- ip4 – Adds the IPs in the record.
- include – Adds the partner/third party server’s to your SPF record.
- ~all – Signifies that this list is all inclusive, and no other servers are allowed to send e-mail per the SPF.
The SPF record always starts with the v= element. This indicates the SPF version that is used. Right now the version should always be spf1 as this is the most common version of SPF that is understood by mail exchanges. Following the version indicator are one or more terms. These define the rules for which hosts are allowed to send mail from the domain or provide additional information for processing the SPF record. Terms are made up of mechanisms and modifiers. The following mechanisms are defined:
The `ptr` type is also defined but should not be used. There are currently two modifiers defined:
The following mechanisms define what IP addresses are allowed to send mail from the domain:
A mail server will compare the IP address of the sender against the IP addresses defined in the mechanisms. If the IP address matches one of the mechanisms in the SPF record then follow the result handling rule. The default handling rule is + or pass. The include mechanism allows you to authorize hosts outside of your administration by specifying their SPF records.
The all mechanism matches any address. This is usually used as the last mechanism which defines how to handle any sender IP that did not match the previous mechanisms. All mechanisms may specify qualifiers for how to handle a match. As previously mentioned, the default handling rule is pass, which is the same as the + qualifier. Other qualifiers that may be specified include – for fail, ~ for soft fail, and ? for neutral. If a mechanism matches and specifies – (fail) then
Modifiers are name/value pairs (separated by an = sign) that provide additional information. Modifiers should appear at the end of the SPF record. A modifier may not appear more than once and unrecognized modifiers are ignored. The redirect modifier is used to point to another SPF record to use for processing. This is used when you have multiple domains and want to apply the same SPF content across those multiple domains.
Redirects should only be used if you control both domains, otherwise an include is used. The exp modifier is used to provide an explanation in case of a – (fail) qualifier is present on a mechanism that is matched. Note that we currently do not support modifiers in our SPF editing UI, but you may always add them if you are managing your SPF TXT record directly.
SPF Record Limitations
Each fully-qualified name may have at maximum one SPF record, defined as a TXT record or as an SPF record type. There are various limitations to the number of items and lookups permitted in an SPF record:
- SPF records may have more than 10 mechanisms that require DNS lookups. These are the
- When evaluating the
mxmechanism, the number of MX records queried is included in the overall limit of DNS lookups. Additionally, each
mxmechanism must not result in querying more than 10 address records.
ptrmechanism is also included in the overall limit and each
ptrmust not result in querying more than 10 address records
- Since you may only have one SPF record per fully-qualified name, if you need to add additional modifiers you should add them to your existing SPF record if it is present.
- SPF records are most often specified on your naked domain name. If you find that you need to exceed the number of modifiers allowed in a single SPF record, then you may need to send some of your messages from subdomains below your naked domain. For example, if a third-party SaaS sends mail on your behalf, you may need to send email from some subdomain.yourdomain.com for that provider. This is especially true if you have multiple SaaS providers that send email on your behalf.
Tips for SPF Records
Since you may only have one SPF record per fully-qualified name, if you need to add additional modifiers you should add them to your existing SPF record if it is present. SPF records are most often specified on your naked domain name. If you find that you need to exceed the number of modifiers allowed in a single SPF record, then you may need to send some of your messages from subdomains below your naked domain.
For example, if a third-party SaaS sends mail on your behalf, you may need to send email from
something.yourdomain.com for that provider. This is especially true if you have multiple SaaS providers that send email on your behalf.