Chapter 3: What Is SPF?
Introduction to SPF
The Sender Policy Framework (SPF) is another widely used method of email authentication to prevent spammers from utilizing a domain for spam emailing. The framework publishes an SPF record to the DNS, i.e., a list of the IP addresses authorized to use your domain name for email. It also points out the unauthorized senders who cannot use your domain name.
SPF DNS Record Syntax Explained
A typical SPF record in the DNS looks like the following:
v=spf1 ip4=192.0.2.0 ip4=192.0.2.1 include:examplesender.email -all
The SPF DNS method employs a list of 8 mechanisms that differentiate authorized email senders from unauthorized ones.
- all: This mechanism is at the end of the SPF record and matches all the senders.
- ip4: This mechanism allows IP addresses of the IPv4 network range of a pre-specified list to send emails using a given domain name.
- ip6: This mechanism is similar to ip4 but works on the IPv6 network range.
- a: When this mechanism is used, the IP address should strictly match the SPF DNS record unless a prefix length is provided. When the prefix length is provided, the system searches all the IP addresses for that prefix length.
- mx: In the case of this mechanism, the entire list of records is tested in the order of specified priority.
- ptr: The hostnames are validated using PTR queries. The invalid hostnames are rejected, while the valid ones are matched.
- exists: This mechanism utilizes an A query based on which the existing IP addresses are validated and approved.
- include: This mechanism searches the domain for a match. If a match is not found, it forwards the list for further processing.
Each of the mechanisms can use any one of the four qualifiers:
- + (Pass)
The Pass qualifiers list the domain-authorized email sender.
- – (Fail)
The Fail qualifier lists the unauthorized senders.
- ～ (SoftFail)
The SoftFail qualifier gives the list of the in-transition unauthorized senders.
- ? (Neutral)
The Neutral qualifier is used to mark the questionable senders.
While the DNS processing is ongoing, a temporary error may be represented by the qualifier’ TempError.’ In contrast, a syntax or evaluation error is notified by ‘PermError.’ In the cases where the domain has not created the record yet, the qualifier ‘None‘ is observed.
What Are SPF Tags?
The eight SPF mechanisms that perform different types of functions as per the SPF DNS record are also known as SPF Tags. Apart from these eight, the tag “v” is utilized to represent the protocol version.
Are There Any Downsides To Using SPF?
Using SPF can sometimes be disadvantageous too. Below are a few drawbacks of using SPF.
- Email Forwarding: When an email sent from an authorized IP address is forwarded, the IP address of the person forwarding the email won’t be recorded.
- End-User Discretion: Attackers might build a domain similar to yours. Since the end-users do not check the Return-Path/mailform domain, they might fall victim to phishing attacks from such fake domains.
- Third-Party Vendors: Domain owners depend on third parties that use their domain names. Therefore, there is a constant need to continuously update the SPF record list, which can be inconvenient.
- Limited DNS Lookup: A single SPF record allows checking only 10 DNS lookups.
Creating An SPF Record
Make sure to follow the below instructions while creating an SPF record.
- Make a record of the list of authorized IP addresses.
- Create SPF records for all your domains, including those that do not send emails. The practice helps you avoid any instances of spoofing in case an attacker tries to use the domains that are not used to send emails.
- Create your SPF record with the help of the 8 SPF mechanisms.
- Publish the SPF record with the help of your DNS server admin.
- Do a test run to ensure that the SPF mechanisms are working accurately.
Adding SPF Records For Your Domain
If you are new to SPF, you can utilize the pre-configured SPF record to use the framework. If you want to add your list of SPF records, you can do so by following the steps given below:
- Log in to your Account Control Center.
- Go to ‘Domains’ and then ‘Manage Your Domain Names.’
- Go to the Domain Name to which you want to add your SPF record.
- Go to ‘Manage Custom DNS Records.’
- Next, you will see the option ‘Add DNS Records.’ Click on it.
- It will take you to the section that will allow you to choose the ‘Type of Record’ you want to add. Click on the ‘TXT’ option and then’ Proceed.’
- You will then reach a page with two text boxes, one for Hostname and another for Text Record.
- In the Hostname section, you can write the name of the sub-domain for which you are creating the record or leave the box empty if you want the record to be created for the entire domain. Write your SPF record in the ‘Text Record’ text box, and click on the ‘Create Record’ option.
Note that the process may differ slightly for various hosting providers.
An SPF record can be highly advantageous as it serves as a tool to prevent email spoofing, spamming, and phishing attacks. It is a standard and widely-used email authentication method. Since the SPF record is a simple TXT record, it is easy to create. However, you have to be thorough about the syntax and the correct use and implications of its mechanisms, qualifiers, etc., to avoid errors and make the record work for you in the best possible way.
Understanding Phishing & Other Email Borne Cyber Threats
What is DMARC?
What is SPF? ☜
What is DKIM?
Defining a DMARC Policy
Ready to Start?
DMARC Report is designed for large scale reporting needs, with a combination of domains and message volume.