DMARC Fundamentals: Everything You Need to Know About Email Authentication Protocols

Previous Topic
Next Topic

SPF DNS Record Syntax Explained

DMARC Fundamentals: Everything You Need to Know About Email Authentication Protocols What is SPF? SPF DNS Record Syntax Explained

A typical SPF record in the DNS looks like the following:

v=spf1 ip4=192.0.2.0 ip4=192.0.2.1 include:examplesender.email -all

The SPF DNS method employs a list of 8 mechanisms that differentiate authorized email senders from unauthorized ones.

  • all: This mechanism is at the end of the SPF record and matches all the senders.
  • ip4: This mechanism allows IP addresses of the IPv4 network range of a pre-specified list to send emails using a given domain name.
  • ip6: This mechanism is similar to ip4 but works on the IPv6 network range.
  • a: When this mechanism is used, the IP address should strictly match the SPF DNS record unless a prefix length is provided. When the prefix length is provided, the system searches all the IP addresses for that prefix length.
  • mx: In the case of this mechanism, the entire list of records is tested in the order of specified priority.
  • ptr: The hostnames are validated using PTR queries. The invalid hostnames are rejected, while the valid ones are matched.
  • exists: This mechanism utilizes an A query based on which the existing IP addresses are validated and approved.
  • include: This mechanism searches the domain for a match. If a match is not found, it forwards the list for further processing.

Each of the mechanisms can use any one of the four qualifiers:

  • + (Pass)

The Pass qualifiers list the domain-authorized email sender.

  • – (Fail)

The Fail qualifier lists the unauthorized senders.

  • ~ (SoftFail)

The SoftFail qualifier gives the list of the in-transition unauthorized senders.

  • ? (Neutral)

The Neutral qualifier is used to mark the questionable senders.

While the DNS processing is ongoing, a temporary error may be represented by the qualifier’ TempError.’ In contrast, a syntax or evaluation error is notified by ‘PermError.’ In the cases where the domain has not created the record yet, the qualifier ‘None‘ is observed.

Previous Topic
Back to Lesson
Next Topic