SPF DNS Record Syntax Explained

A typical SPF record in the DNS looks like the following:

v=spf1 ip4= ip4= include:examplesender.email -all

The SPF DNS method employs a list of 8 mechanisms that differentiate authorized email senders from unauthorized ones.

  • all: This mechanism is at the end of the SPF record and matches all the senders.
  • ip4: This mechanism allows IP addresses of the IPv4 network range of a pre-specified list to send emails using a given domain name.
  • ip6: This mechanism is similar to ip4 but works on the IPv6 network range.
  • a: When this mechanism is used, the IP address should strictly match the SPF DNS record unless a prefix length is provided. When the prefix length is provided, the system searches all the IP addresses for that prefix length.
  • mx: In the case of this mechanism, the entire list of records is tested in the order of specified priority.
  • ptr: The hostnames are validated using PTR queries. The invalid hostnames are rejected, while the valid ones are matched.
  • exists: This mechanism utilizes an A query based on which the existing IP addresses are validated and approved.
  • include: This mechanism searches the domain for a match. If a match is not found, it forwards the list for further processing.

Each of the mechanisms can use any one of the four qualifiers:

  • + (Pass)

The Pass qualifiers list the domain-authorized email sender.

  • – (Fail)

The Fail qualifier lists the unauthorized senders.

  • ~ (SoftFail)

The SoftFail qualifier gives the list of the in-transition unauthorized senders.

  • ? (Neutral)

The Neutral qualifier is used to mark the questionable senders.

While the DNS processing is ongoing, a temporary error may be represented by the qualifier’ TempError.’ In contrast, a syntax or evaluation error is notified by ‘PermError.’ In the cases where the domain has not created the record yet, the qualifier ‘None‘ is observed.