What is a a SPF record ?
SPF is part of the mail authentication scheme with DKCIM.
The SPF record value defines:
- the mechanism of validation (where should a validator should get the IP of the server back)
- and a qualifier attached (what actions to take if the validation fails)
If you are forwarding email (for instance with postfix virutal aliasing), the sender (ie gmail for instance) does not allow your server to send email on its behalf, you need to install what's called a Sender Rewriting Scheme (SRS) See Postfix - Sender Rewriting Scheme (SRS) installation
v=spf1 is a prefix that you will find in all record
- -all: The domain sends no mail at all.
- Allow the host in the domain's MXes record to send mail for the domain, prohibit all others.
"v=spf1 mx -all"
- +all Allow all host - The domain owner thinks that SPF is useless and/or doesn't care.
The optimal SPF record is composed of a:
- preffix - v=spf1
- and one or more mechanism_of_validation with its optional qualifier
SPF looks up the DNS record for an e-mail's from address's host header.
Evaluation of an SPF record can return any of these results
|Pass||The SPF record designates the host to be allowed to send||accept|
|Fail||The SPF record has designated the host as NOT being allowed to send||reject|
|SoftFail||The SPF record has designated the host as NOT being allowed to send but is in transition||accept but mark|
|Neutral||The SPF record specifies explicitly that nothing can be said about validity||accept|
|None||no SPF record at all or no value||accept|
|PermError||syntax or evaluation error (eg. badly formatted SPF record)||unspecified|
|TempError||dns processing error (dns server not reachable)||accept or reject|
- all represents all mechanisms (generally at the end of the SPF record)
# no mail is send by the domain v=spf1 -all # Only the mx mechanism v=spf1 mx -all # All mechanism are allowed (ie the admin don't care, generally not found) v=spf1 +all
#Allow any IP address between 192.168.0.1 and 192.168.255.255. ip4:192.168.0.1/16 # If no prefix-length is given, /32 is assumed # example v=spf1 ip4:192.168.0.1/16 ~all
# any IPv6 address between 1080::8:800:0000:0000 and 1080::8:800:FFFF:FFFF. ip6:1080::8:800:200C:417A/96 # example v=spf1 ip6:2001:4860:4000::/36 ~all
A: the whole domain
a: the A records for domain are tested (AAAA for ipv6). If the client IP is found among them, this mechanism matches
# the current dns domain is used (all servers defined in A records may send email) a
A: List of mailers
# list all the outbound mailers in a special A record under mailers.example.com a:mailers.example.com
Create in the DNS zone multiple A record with the same name but differents IP
mailers.example.com. IN A 188.8.131.52 mailers.example.com. IN A 184.108.40.206 mailers.example.com. IN A 202.0.013.62
- mx MX record that defines an email server
# the mx record plus another emails server mx mx:deferrals.domain.com
- include (from other domain ISP for instance)
include:example.com # if example.com has no SPF record, the result is PermError.
- ovh hosting with the domain mx.ovh.com:
- and google
v=spf1 include:mx.ovh.com include:servers.mcsv.net include:_spf.google.com ~all
You have also:
Mechanisms can be prefixed with one of four qualifiers
- + - Pass (default)
- - - Fail
- ~ - SoftFail
- ? - Neutral
"v=spf1 -all" "v=spf1 a -all" "v=spf1 a mx -all" "v=spf1 +a +mx -all"
Domains may also define modifiers. Each modifier can appear only once.
redirect | exp
nslookup -type=TXT bytle.net
Server: amplifi.lan Address: 192.168.135.1 Non-authoritative answer: bytle.net text = "v=spf1 a include:vps748761.ovh.net -all"