Doing Sender Policy Framework (SPF) delegation the right way
At times, you need an external party to handle the exchange of emails on your behalf. Now, since you can’t afford to overlook email authentication done through SPF, DKIM, and DMARC, you need to give control of a few DNS records so that everything works properly.
This blog specifically shares how domain owners can do SPF delegation to give control of their TXT SPF record to third-party vendors, allowing them to legitimately send emails on your behalf. Please note that SPF delegation is a one-time process and should not be ignored if you don’t want to impact your domain’s email deliverability and business communications at various levels.
Getting started with SPF delegation
To begin with, you have to add the IP address of your website’s hosting server. Doing this is safe until the hosting server goes down because then all the outgoing emails will fail to reach the intended recipients and bounce back to the sender’s inbox with a message of ‘failed delivery.’
Since SPF, DKIM, and DMARC are designed to be compatible with each other, SPF delegation doesn’t trigger any issues with DKIM and DMARC. In fact, at times, DKIM also uses SPF delegation to allow third parties to send emails on your behalf. If DKIM doesn’t use SPF delegation, then the possibility of your emails failing SPF and DKIM checks increases, placing your emails in recipients’ spam folders, or worse, having them bounced back to you only. Other discrepancies and policy conflicts also trigger delivery failures.
Prepping your domain for SPF delegation
Fortunately, configuring your domain for SPF delegation isn’t a tough job; just follow these steps, and you will be good to go-
1. Open the DNS manager and navigate to the menu bar.
2. Select the domain that requires an update.
3. In the SPF delegation overview, modify the SPF record as follows:
- a record: Add the ‘a’ record, entering 32 in the IPv4 CIDR column and 128 in the IPv6 CIDR column.
- mx record: Add the ‘mx’ record, entering 32 in the IPv4 CIDR column and 128 in the IPv6 CIDR column.
- include: Insert all necessary ‘include’ statements, ensuring that only the specified values are included.
- ipv4: List all IPv4 addresses. If the IPv4 entry specifies a range (e.g., /22), enter 22 in the ‘CIDR’ column. If no range is listed, enter 32 in the ‘CIDR’ column.
- ipv6: List all IPv6 addresses. If the IPv6 entry specifies a range (e.g., /36), enter 36 in the ‘CIDR’ column. If no range is listed, enter 128 in the ‘CIDR’ column.
- Policy: Choose either a soft fail (~all) or a hard fail (-all). For beginners and domains with significant email traffic, a soft fail setting is recommended.
4. Once you’ve made these changes, click ‘Save’ and publish the record in the DNS manager.
5. At the bottom of the page, a DNS entry will be generated, which needs to be published in your domain’s DNS records.
6. After publishing, your SPF record will be hosted and managed directly through the DNS manager, eliminating the need for an external DNS manager.
Pointers to keep in mind
Take care of the following things while you perform the above-listed steps-
Syntax
The syntax should be used with the rules, otherwise, they don’t work as intended. Inappropriate use of syntax leads to errors in an SPF record, hindering its ability to stop phishing and spoofing attacks.
The improper use of syntax also results in more DNS lookups which gets counted towards the limit of 10 DNS lookups. If your SPF record exceeds this limit, you can use the automatic SPF flattening tool.
Length limits
An SPF TXT record is restricted to have a 255-character limit imposed by RFC for compatibility, security, and DNS protocol constraints. SPF records that increase the limit lead to complexities and induce the probability of human errors, non-uniformities, and conflicts. We suggest you use multiple records if necessary.
Order of entries
Here’s the typical order of entries for a valid SPF record- version, mechanisms (include, a, mx, ip4,ip6, and ptr), modifiers, qualifiers, all mechanisms (~all or -all).
For example- v=spf1 ip4:192.168.0.1 include:example.com -all
This example indicates that only the specified IP address and those included from example.com are allowed to send emails on behalf of the domain, while all others will fail the SPF check.
Reliable service provider
Ensure your service provider is reputable because delegating your SPF record to an external vendor makes your domain susceptible to attacks.
Regulatory compliances
Several compliances like GDPR and CAN-SPAM require businesses to deploy preventive measures against phishing and spoofing. If your SPF record is not correctly configured and managed, your business could be subject to litigation.