Email - Sender Policy Framework (SPF)

What is a a SPF record ?

SPF is a dns record that defines which server(s) may send an email. It describe the set of hosts which are designated outbound mailers for the domain.

SPF is part of the mail authentication scheme with DKCIM.

The SPF record value defines:

  • the mechanism of validation (where should a validator should get the IP of the server back)
  • and a qualifier attached (what actions to take if the validation fails)

If you are forwarding email (for instance with postfix virutal aliasing), the sender (ie gmail for instance) does not allow your server to send email on its behalf, you need to install what's called a Sender Rewriting Scheme (SRS) See Postfix - Sender Rewriting Scheme (SRS) installation

Example

v=spf1 is a prefix that you will find in all record

  • -all: The domain sends no mail at all.
"v=spf1 -all"
  • Allow the host in the domain's MXes record to send mail for the domain, prohibit all others.
"v=spf1 mx -all"
  • +all Allow all host - The domain owner thinks that SPF is useless and/or doesn't care.
"v=spf1 +all"

Example of SPF dns record in the DNS zone provided by a domain registrar.

Spf Dns Zone

Syntax

The optimal SPF record is composed of a: 

v=spf1 [[qualifier]mechanism...]

Validation Process

SPF looks up the DNS record for an e-mail's from address's host header.

Evaluation of an SPF record can return any of these results

Result Explanation Intended action
Pass The SPF record designates the host to be allowed to send accept
Fail The SPF record has designated the host as NOT being allowed to send reject
SoftFail The SPF record has designated the host as NOT being allowed to send but is in transition accept but mark
Neutral The SPF record specifies explicitly that nothing can be said about validity accept
None no SPF record at all or no value accept
PermError syntax or evaluation error (eg. badly formatted SPF record) unspecified
TempError dns processing error (dns server not reachable) accept or reject

Mechanism of validation

Mechanisms can be used to describe the set of hosts which are designated outbound mailers for the domain.

All

  • all represents all mechanisms (generally at the end of the SPF record)
# no mail is send by the domain
v=spf1 -all
# Only the mx mechanism
v=spf1 mx -all
# All mechanism are allowed (ie the admin don't care, generally not found)
v=spf1 +all

IP

#Allow any IP address between 192.168.0.1 and 192.168.255.255.
ip4:192.168.0.1/16
# If no prefix-length is given, /32 is assumed 
# example
v=spf1 ip4:192.168.0.1/16 ~all


# any IPv6 address between 1080::8:800:0000:0000 and 1080::8:800:FFFF:FFFF.
ip6:1080::8:800:200C:417A/96
# example
v=spf1 ip6:2001:4860:4000::/36 ~all

A

A: the whole domain

a: the A records for domain are tested (AAAA for ipv6). If the client IP is found among them, this mechanism matches 

# the current dns domain is used (all servers defined in A records may send email)
a

A: List of mailers

# list all the outbound mailers in a special A record under mailers.example.com
a:mailers.example.com

Create in the DNS zone multiple A record with the same name but differents IP 

mailers.example.com. IN A 191.98.45.225
mailers.example.com. IN A 163.132.95.201
mailers.example.com. IN A 202.0.013.62

Mx

# the mx record plus another emails server
mx mx:deferrals.domain.com

Include

  • include (from other domain ISP for instance)
include:example.com
# if example.com has no SPF record, the result is PermError.

Example:

  • ovh hosting with the domain mx.ovh.com:
  • mailchimp
  • and google
v=spf1 include:mx.ovh.com include:servers.mcsv.net include:_spf.google.com ~all

Other

You have also:

  • ptr
  • exists

Mechanism Qualifier

Mechanisms can be prefixed with one of four qualifiers

  • + - Pass (default)
  • - - Fail
  • ~ - SoftFail
  • ? - Neutral

Example: 

"v=spf1 -all"
"v=spf1 a -all"
"v=spf1 a mx -all"
"v=spf1 +a +mx -all"

Modifiers

Domains may also define modifiers. Each modifier can appear only once. 

redirect | exp

Test

Query

with DNS - nslookup command line 

nslookup -type=TXT bytle.net

Server:  amplifi.lan
Address:  192.168.135.1

Non-authoritative answer:
bytle.net       text =

        "v=spf1 a include:vps748761.ovh.net -all"

Reference

http://www.open-spf.org/SPF_Record_Syntax/

Documentation




Discover More
Map Of Internet 1973
DNS - Record

A DNS record is a row in a DNS database. Example of a A record. where: api is a relative name IN is the INTERNET class (An other value is ANY) A is the A record 164.132.99.202 is the Ip address...
Email - Authentication

The core email protocols do not have any mechanism for authentication. Messages must be authenticated to make sure that they're classified correctly. Also, unauthenticated messages are very likely to...
Email - DMARC (Domain-based Message Authentication)

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a text DNS Record that indicates to the receiving server what actions should be taken if the emails does not pass the email authentication...
How to configure your domain and your server to send and receive email

Configuring your domain to manage email is not an easy task, this article groups them on one place
Postsrsd Spf Pass
Postfix - Sender Rewriting Scheme (SRS) installation

This page is the installation of postsrsd which implements Sender Rewriting Scheme (SRS) for Postfix Sender Rewriting Scheme (SRS) is mandatory in order to conform...
Map Of Internet 1973
The TXT DNS record - a all-in place to store data

The TXT DNS record is used for multiple purpose and this articles shows you the most common
Gmail Show Original Email
What is a Email Message ? known as Internet Message or RFC822

An email is a document that is composed of the following structure * one or more headers * followed at the end by a body that may be composed of multiparts It's a network message known as: * MimeMessage *...



Share this page:
Follow us:
Task Runner