What is an SPF Record? | EasyDMARC

What is an SPF Record?

6 Min Read
What is an SPF Record

What if you realize a threat actor misuses your domain name to send fraudulent emails? Imagine how they can damage your reputation through spamming and phishing

Fortunately, you can control who uses your domain to send emails. The solution is SPF, or the Sender Policy Framework, an email authentication method that works with the Domain Name System (DNS).

This blog discusses more on what an SPF record is for email, how it works, its structure, and components.

What’s an SPF Record?

SPF is short for sender policy framework, and an SPF record is a type of DNS TXT record listing the IP addresses permitted to send emails from a specific domain. A domain administrator enters arbitrary text into DNS or Domain Name System, which helps track and regulate domain names and addresses on the internet. 

Business owners must know what an SPF record is for email security reasons. It helps avert spamming and phishing in your company’s name.

If you have multiple sending IPs or servers, you can create an SPF record listing all of them. That way, receiving servers can authenticate whether an email comes from a sending source you’ve authorized. 

Any unregistered IPs sending emails using your domain are handled accordingly and won’t be delivered to the recipient’s inbox. Check your SPF records regularly to ensure they’re updated and working correctly.

How Do Email Servers Check an SPF Record?

Now that you know what a Sender Policy Framework or SPF record is, it’s wise to understand how it works. By generating an SPF record, you’re giving recipients a way to reject any unauthorized emails using your domain name.   

The process starts at the receiving server’s end, where the return-path address is cross-checked. A return-path address is set in the email header and defines how bounced emails should be treated. 

So, what exactly does an SPF record do after checking the return-path? It verifies whether the sender’s email address is registered in the SPF record. If so, the email will be reflected in the ‘inbox;’ otherwise, it’ll be labelled as ‘spam.’ In some cases, a receiver’s mailbox will altogether reject its entry.

What are the Limitations of SPF?

We’ve discussed what an SPF record is and how it works, but there are some limitations that you should be aware of. 

  • One of the most significant limitations of an email SPF record is its inability to validate the ‘From’ header. The ‘From’ header is displayed mostly as the sender’s email address. So, instead, it uses the ‘Envelope From’ to check the DNS record. 
  • SPF doesn’t work with forwarded emails as the ‘forwarder’ becomes the new ‘sender.’ So, there’s no technique to determine what an SPF record does for forwarded emails. This lets malicious actors scam people.
  • SPF doesn’t have a reporting mechanism, which makes it harder to maintain.

While SPF is a helpful email security protocol, more is needed to secure your domain entirely. Fortunately, you can implement DMARC. It’s an advanced authentication standard combining SPF and DKIM for much more robust email domain protection and reporting.

SPF Record Structure and Components

Adding an SPF record to your DNS increases your domain’s trustworthiness and improves your online reputation.. There’s a proper SPF record structure that helps in maintaining it easily. SPF records have a TXT record type, a single string of text. 

Here’s an SPF record example: v=SPF1 a mx ip4:69.64.153.131 include:_SPF.google.com ~all

An SPF record always begins with the ‘v=’ element, which indicates the version used. ‘SPF1’ is the most common version understood by mail exchanges. The following terms mean mechanisms used to evaluate whether a domain is eligible to send emails. 

Mechanisms

Here are the eight mechanisms:

ALL: It always matches and is used for default results like ‘-all’ for unmatching IPs. It’s typically used as the last mechanism, defining how recipient servers should handle emails from sender IPs that failed to match any previous mechanisms.

A: If the domain name consists of an A or AAAA address record, it’ll be matched. This is because it can be resolved to the sender’s address.

IP4: The match is successful if the sender belongs to the given IPv4 address range.

IP6: The match is successful if the sender belongs to the given IPv6 address range.

MX: The sender’s email address will be validated if the domain name has an MX record.

PTR: The match will be successful if the PTR record belongs to a given domain that resolves to the client’s address. Its use isn’t encouraged as sometimes it can block all emails from your domain.

EXISTS: Instructs and A query to be performed. If the given domain name resolves to any address, it matches. This SPF mechanism works irrespective of the fixed address. 

INCLUDE: Used to list other third-party domains authorized to send emails on your behalf. 

Modifiers

Modifiers play an essential role in determining how an SPF record works. These are name or value pairs separated by the ‘=’ symbol that share additional details. You can see them multiple times at the end of the SPF record. No attention is paid to any unrecognized modifiers.

The ‘redirect’ modifier points to other SPF records. It’s deployed when you own multiple domains and wish to apply the same SPF content across them. This modifier has to be used if a single entity controls all the domains, otherwise the ‘include’ modifier is used.

When the ‘-’ (fail) modifier appears on a matched mechanism, the ‘exp’ modifier is used to provide reasons. 

Qualifiers

Each mechanism can be combined with one of four qualifiers:

  • ‘+’  for a PASS result
  • ‘?’  for a NEUTRAL result interpreted like NONE policy.
  • ‘~’ for SOFTFAIL. Usually, messages that return a SOFTFAIL are accepted but tagged. 
  • ‘-’ for FAIL, the email is rejected.

Final Thoughts

Cyberactors don’t like SPF-protected domains, so they’re less likely to be blocklisted by spam filters. Use our EasySPF tool to take your email sending sources management to a whole new level. 

An SPF record allows recipient servers to verify whether the sending source is authorized. It then delivers the email to the ‘Inbox’ or ‘Spam’ folder.  

If you want to enhance email deliverability, boost trustworthiness, and mitigate phishing, spoofing, and spamming, you need to implement SPF, along with DKIM and DMARC. You can find out how to do it the easy way. Contact EasyDMARC today.

Profile image
EasyDMARC
Various authors from EasyDMARC teams have contributed to our blog during company's lifetime. This author brings everyone together.

Comments

guest
0 Comments
Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us

In this article

Share article:

Domain Scanner

Check phishing vulnerabilities and possible issues with DMARC, SPF,DKIM, and BIMI records

More In SPF
Improve Email Deliverability SPF
5 Min Read

Get Your Emails Delivered In 2024

An Easy Guide To The New Google and Yahoo Requirements
Download Ebook
New Ebook