Sender Policy Framework (SPF)
Sender Policy Framework (SPF) records are a type of DNS record that identify which mail servers are authorized to send email on behalf of your domain. In other words, an SPF record is a way to prevent spammers from sending messages with forged 'From' addresses at your domain.
Here's a brief overview of how SPF works:
The owner of a domain adds an SPF record in the Domain Name System, or DNS, specifying which servers and IPs are allowed to send email from that domain .
When an incoming mail server receives a message, it can check the SPF record of the domain in the 'From' address to verify that the message came from an authorized server.
If the check fails (i.e., the message came from an unauthorized server), the server can mark the message as spam or reject it outright.
The importance of SPF records is primarily tied to the issues of spam and email spoofing:
Spam Prevention: By verifying that messages are coming from authorized servers, mail servers can reduce the amount of spam that reaches users' inboxes.
Spoofing Prevention: Without SPF, it's very easy to send a message that appears to come from any email address. This is a common tactic used in phishing and other types of email fraud. With SPF, it's harder for spammers to impersonate your domain.
Domain Reputation: Mail servers and spam filters also consider a domain's SPF record when determining the domain's reputation. If you don't have an SPF record, or if too many messages fail the SPF check, it can harm your domain's reputation, making it more likely that your legitimate messages will be marked as spam.
In short, while SPF isn't a silver bullet that will stop all spam or phishing, it's an important tool that can significantly reduce these threats. However, it's just one of several authentication methods that can be used in conjunction to protect your email infrastructure. Others include DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance).
SPF Record DNS Lookup Limit
An important aspect to consider when constructing an SPF record is the DNS lookup limit. SPF imposes a limit of 10 DNS lookups per SPF check. This limit is meant to prevent excessive resource consumption and potential denial of service attacks.
When an email is received and an SPF check is performed, each "include", "a", "mx", "ptr", and "exists" mechanism, as well as the "redirect" modifier used in the SPF record of the incoming email, counts as a DNS lookup. However, the "ip4" and "ip6" mechanisms do not require DNS lookups.
If the SPF record for a domain requires more than 10 DNS lookups, receivers checking the SPF may stop the SPF evaluation and return a 'permerror' (permanent error).
This limit can be quickly exhausted if your SPF record includes other domains, especially if those domains also use SPF with their own includes. Therefore, it's important to ensure that your SPF record is carefully constructed to stay within this limit.
Remember that the lookup limit applies separately to each unique SPF check, not to each message. This means that each message could potentially cause multiple SPF checks, each with its own 10-lookup limit. For example, forwarding a message can cause a new SPF check with its own set of DNS lookups.
SPF Configuration Options
| Option | Description | Required? | Example |
|---|---|---|---|
| v=spf1 | Defines the SPF version used | Required | v=spf1 |
| all | Matches all addresses | Optional | -all, ~all |
| a | Matches if IP is in the A (IPv4) or AAAA (IPv6) records for the domain | Optional | a, a:example.com |
| mx | Matches if IP is one of the MX hosts for the domain | Optional | mx, mx:example.com |
| ptr | Matches if the domain name for the client's IP is in the given domain | Optional | ptr, ptr:example.com |
| ip4 | Matches if IP is in the given IPv4 address or range | Optional | ip4:192.0.2.0/24 |
| ip6 | Matches if IP is in the given IPv6 address or range | Optional | ip6:2001:DB8::/32 |
| include | Includes the SPF record of the specified domain | Optional | include:example.com |
| exists | Matches if the specified domain name resolves to any address | Optional | exists:example.com |
| redirect | Redirects the SPF record to another | Optional | redirect=example.com |
| exp | Explanation message for failed checks | Optional | exp=example.com |
| Qualifier + | Pass: The SPF check for the mechanism passed | Optional | +mx |
| Qualifier - | Fail: The SPF check for the mechanism failed | Optional | -mx |
| Qualifier ~ | Softfail: The SPF check for the mechanism failed but the domain is still in transition | Optional | ~mx |
| Qualifier ? | Neutral: The SPF check for the mechanism neither passed nor failed | Optional | ?mx |
How To Setup SPF
You can follow these steps to setup SPF:
Identify your mail servers - Determine which mail servers you use to send email from your domain. These could be your own servers or those of an email service like Google Workspace, Office 365, SendGrid, etc.
Create your SPF record - The SPF record is a type of TXT record in your domain's DNS settings. A basic SPF record might look like this:
v=spf1 mx -allv=spf1indicates this is an SPF record and it's version 1.mxmeans that all the servers that are listed as MX records for your domain are allowed to send mail for your domain.-allindicates that no other servers are allowed to send mail.
If you're using an email service, they'll typically provide you with an include statement to add to your SPF record. For example, if you're using Google Workspace, you would use
include:_spf.google.com. So your record would look like this:v=spf1 mx include:_spf.google.com -allAdd the SPF record to your DNS - How you do this depends on who hosts your DNS. Generally, you'll need to log into your DNS management console, create a new TXT record, and paste your SPF record into the value field. The record should be added at the root level of your domain, meaning the name or host field should be "@" or your domain name.
Test your SPF record - You can use an SPF record checker to verify that your SPF record is correct. We have a domain compliance scan tool you can use that's powered by Postmaster+.
Monitor your SPF record - It's a good idea to regularly check your SPF record to make sure it's still correct, especially if you change email services. Postmaster+ was built by OptiPub to make monitoring your email configuration super easy. Check it out!
Please note that you should only have one SPF record for a domain. If you need to authorize multiple servers or domains, you can include them all in the same record. For example, if you're using Google Workspace and SendGrid, your SPF record might look like this: v=spf1 mx include:_spf.google.com include:sendgrid.net -all
Remember, the purpose of the SPF record is to help prevent spammers from using your domain to send email without your permission. It doesn't prevent spam from being sent to you. For that, you might want to look into other technologies like DKIM and DMARC.
SPF Macros: How solve too many SPF lookups without SPF flattening
One common approach to mitigate having too many SPF lookups is SPF flattening, which involves converting dynamic DNS lookups into static IP addresses to reduce the number of DNS queries. However, SPF flattening requires regular updates to ensure the SPF record remains accurate as the IP addresses change, which can be cumbersome, error-prone, and can be costly.
Using SPF macros is an alternative method that can help manage the lookup limit without resorting to flattening. Macros allow SPF records to be more dynamic and flexible by inserting specific information about the sender or the email environment directly into the SPF record. For example, based on the sender's localpart, domain or IP address, different include statements can be generated, allowing for a more targeted approach that can potentially reduce the number of DNS lookups.