SPF Records for your Domain DNS
Posted by Tony W Howden on 13 July 2016 08:42 AM
SPF Records have been high on our list of support queries and issues over the last 6 months.
This article is designed as a guide to managing the SPF record for your domain and hopefully to provide an understanding of the why, how, when, and where of SPF.
What is SPF?
The acronym stands for Sender Policy Framework. The purpose is to advertise to other email users which email servers are authorised by you to send email for your domain.
What problem does SPF solve?
The problem is that email messages can be created and sent from anywhere to anywhere. In recent years SPAMmers have been impersonating the email addresses of random users to send their scam and advertising emails. The problem is that when an email server receives an email it has no way of knowing if the email is from a legitimate user or from an imposter. Most commonly this is known as 'spoofing' an email address and the email address is 'spoofed'.
Why use an SPF record?
An SPF record provides a solution to this problem by providing a reference for the receiving email server to check the incoming email sender address against the domain name it is supposed to be coming from.
What is an SPF record?
It is a text based entry in your DNS (Domain Name System) that is created by you (or your IT person). It contains information relating to email servers for your domain.
What is DNS?
Think of it as an old-school telephone directory for computers. Computers lookup the DNS (phone listing) and find the number for another computer in order for communications to take place between them.
Who creates SPF records?
The owner of a domain will have access or will delegate access to the domain for managing all records including the SPF record.
How many SPF records?
As in Highlander, "there can be only ONE". It is THE SPF record for A domain name.
e.g. wrenmaxwell.com.au is a domain and it has one only SPF record.
What happens when I send an email?
When you send an email your email server will look at the list of recipients that you are sending to. Assuming there is only one recipient then your email server will look up the DNS for the receiving domain and find the MX (MaileXchanger) record. This will give your email server sufficient information to find a route to the receiving email server and it will make contact. The receiving server will ask (effectively) who is calling and your email server will provide its details. If the receiving server validates your email servers information then it will accept the email and hold it ready for the recipient to collect and read. This is where an SPF record query will be made by the receiving server to check that the address of the sending server is valid for the domain.
What happens if the email address is real?
If the sender email address is real then the SPF record for the domain will include a reference to the sending email server and the receiving server will know that the email is from a legitimate account.
What happens if the email address is faked?
If the sender email address is fake or spoofed, then the message will be from an unauthorised email server and the sending domain SPF record will advise the receiving server that the email should be rejected or 'fail'ed. However, the action will depend on how the SPF record is configured and what instruction it provides to the receiving server. Further, the processing at the receiving server will vary from server to server.
What happens when an SPF record is faulty?
This depends on the nature of the fault. Generally it will mean that the email is either rejected, or accepted with a qualification that it might be spam or spoofed. A common error by IT staff is to use "ipv4" in an SPF when the correct syntax is just "ip4"
What happens if the SPF record is faked?
An SPF record cannot be faked or compromised unless the DNS Management is compromised. So if a hacker gained access to your DNS records, then it is possible that the SPF record for your domain could be faked to advertise incorrect mail servers. However this is a different security issue and outside the scope of this article.
What are the main issues with SPF?
The single and most prevalent issue is that email is not just sent from one location on behalf of a domain. Many businesses utilise cloud based solutions and hardware devices that provide the facility to send email as if it comes from users within the business domain. Many SPF records do not include the addresses of those services and devices and as a result some emails may not be received by the intended party, if the receiving server tests the SPF record and fails the email on the basis that the sending device is not in the SPF authorised list.
What can I do about it?
If you are the person responsible for your business domain DNS management, then you need to understand SPF records and the implications for your business. You should document all servers, services and devices that may send email on behalf of your business domain. From that document you will be able to prepare a correct and detailed SPF record for your domain.
If you are not the person responsible for the DNS management, then you are probably reading this as you have a problem sending or receiving email due to an SPF rejection. In that case you need to review who the sending party is and contact the administrator of the sending domain. That will most likely be the person who is responsible for managing your business domain.
If your problem is with a third party then you should contact your IT support for assistance.
If you are the IT department then you might want to contact WrenMaxwell as we have a lot of experience configuring SPF (and DKIM) records correctly for your domains.
Sender Policy Framework / OpenSPF.org / SPF Council at http://www.openspf.org/
Kitterman SPF Record Testing Tools at http://www.kitterman.com/spf/validate.html?
MX Toolbox SPF Record Lookup at http://mxtoolbox.com/spf.aspx