Setting up SPF
How does SPF (Sender Policy Framework) work?
In the SPF, you enter all IP addresses of the Mail Transfer Agents (MTAs) - i.e. the servers - in the Domain Name System (DNS) of your domain that are authorised to send emails on behalf of your own domain. To do this, create a so-called SPF record in the corresponding DNS zone. Technically speaking, this is a TXT entry (TXT record), the syntax of which is precisely specified in RFC7208.
The receiving server then checks which domain is specified in the 'MAIL FROM' address and uses a DNS query to determine whether an SPF record exists for the domain. If this is the case, it reads the information and compares the IP address of the sending MTA with the permitted addresses. If the IP address of the delivering MTA does not appear in the SPF entry of the domain, it is not authorised to send emails on behalf of this domain.
What does an SPF entry look like?
An SPF entry is a simple TXT file. All SPF entries begin with the version number. Currently, the corresponding specification is v=spf1. The following expressions are then processed from front to back. Most of these expressions are so-called directives that make a statement about the authorisation of a sender. They therefore describe whether the respective sender is authorised to send the email.
Qualifiers
Qualifiers define authorised and unauthorised transmitters and describe how they should be handled.
|
Qualifier |
Code |
Description |
|---|---|---|
|
+ |
Pass |
Sender is authorised (default), email is accepted. |
|
- |
Fail |
Sender is not authorised, email is not accepted. |
|
~ |
SoftFail |
Sender is not authorised, but is accepted and marked as spam. |
|
? |
Neutral |
No statement about the sender, email is accepted. |
Mechanisms
Mechanisms return one or no hits for an IP address. Here is an overview of the most common mechanisms:
|
Qualifier |
When does the directive apply? |
|---|---|
|
all |
Always |
|
a |
If an A (or AAAA) entry of the queried (or explicitly specified) domain contains the IP address of the sender. |
|
mx |
If an MX record of the queried (or explicitly specified) domain contains the IP address of the sender. |
|
ip4 |
If the specified IPv4 address is the address of the sender or the specified IPv4 subnet contains this address. |
|
ip6 |
If the specified IPv6 address is the address of the sender or the specified IPv6 subnet contains it. |
|
include |
If an additional SPF request for the domain specified in the include statement contains the IP address of the sender. |
|
redirect |
IP address of the sender, which is legitimised by the SPF entry of another domain. |
Example of an SPF entry
v=spf1 +mx:example.com +ip4:80.66.20.18 +ip4:80.82.206.0/26 include:spf.protection.outlook.com +a:vwp15685.webpack.example.com +ip4:193.37.132.2 +ip4:193.37.132.101 include:customers.clickdimensions.com -all
In this example, various mechanisms are used to legitimise IP addresses for sending:
mx IP addresses that are listed in the corresponding MX record are allowed to send emails.
ip4 IP addresses explicitly named here may send emails.
a Servers hosting the websites with the specified domains are authorised to send emails.
include Additional domains whose SPF entries are utilised.
-all All IP addresses not mentioned are NOT allowed to send!
See also
Sender reputation and email security - Part 2: Sender Policy Framework (SPF) (blog article)