October 19, 2020

KNOWLITE

Never stop learning.

What is an SPF record and what does it do?

2 min read

The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery. More precisely, the current version of SPF — called SPFv1 or SPF Classic — protects the envelope sender address, which is used for the delivery of messages.

SPFv1 allows the owner of a domain to specify their mail sending policy, e.g. which mail servers they use to send mail from their domain. The technology requires two sides to play together: (1) the domain owner publishes this information in an SPF record in the domain’s DNS zone, and when someone else’s mail server receives a message claiming to come from that domain, then (2) the receiving server can check whether the message complies with the domain’s stated policy. If, e.g., the message comes from an unknown server, it can be considered a fake.

Limitations of SPF records

A big limitation of SPF records are the DNS includes, as it allows 10 DNS lookups at max.

Imagine yourself as owner of Contoso.com, having an on premises Exchange environment.
Next to the on premises environment your users also use SugarCRM as SaaS solution.

Your SPF record can look like the following:

DNS record type= TXT
v=spf1 include:spf.contoso.com include:spf.sugarcrm.com -all

v=spf1 – version of the SPF record like stated above
include: – you can include other SPF records into each other, making management and grouping easier
-all – this makes a strict ending, meaning that all other addresses that are not included may not send mail for this domain

There are also other things you can include in an SPF record:
a: – Include any A record that you want
ip4: – You can include any IPv4 address – also the use of the subnet marker is allows (a.e /31, /24)
ip6: – You can include any IPv6 address
PTR – Add any pointer record
MX – include your mail servers directly if they correspond with the mx records of this domain

Other endings are also available:
?all – Will accept but mark the message as possible spam if IP is not included
~all – Specifies explicitly that nothing can be said about the validity of this record
+all – If you really don’t care about SPF use this method. Allowing all hosts to send

Only DNS lookups like includes, A, MX and PTR records count as DNS lookup.
Basically every lookup where DNS resolving is needed.

You can verify your SPF record in advance with the following websites:

Kitterman SPF Validator
DMARCIAN – SPF Surveyor

Querying for the SPF (TXT) record can be done with Powershell with the following cmdlet:
SPF-query

More Stories