Email deliverability on the internet is a complicated process when approaching it from a technical standpoint. As the internet has grown over the last two decades, we have seen a large increase in spam emails as more people gain access to more and more resources. To combat the sending of malicious or spam emails, the Global DNS Infrastructure has adapted special techniques and strategies to help senders and receivers be able to verify that the person sending is indeed who they say they are.
According to DMARC Analyzer:
“An SPF record (Sender Policy Framework record) is the core of an SPF implementation in which the SPF policy is defined. An SPF record is published in the DNS (Domain Name Service) and it contains a list of authorized email servers which can send email on behalf of your domain name. If an email sender isn’t listed in the record section and does send email on behalf of your domain this email may be considered as not legitimate and can be rejected by the email receiver.”
SPF records are only one part of the multi-step process of identifying senders on the internet. When used in combination with DMARC and DKIM records, it can provide adequate protection against most known email threats. There are more things that you can do, but this article will be kept simple for the purposes of education.
How To Decipher an SPF Record
Let’s take a look at this SPF record and utilize it for the purposes of explaining the next part.
v=spf1 a:mail.microsoft.com mx:mail.microsoft.com ip4:10.0.0.1 include:micro.soft -all |____| |__________________| |___________________| |__________| |________________| |__| 1 2 3 4 5 6
SPF Records are typically stored within a TXT record in text format. Within the single line of text, there are multiple parts that tell servers what your preferences are. Each part of the record above is denoted by a number, and we review each piece below.
1 | Version
This part defines the record as an SPF record. All SPF Records MUST start with this. There used to be a second version of SPF created by Microsoft, however it was discontinued.
v=spf1
Mechanisms
There are several different ‘options’ or mechanisms that control what you can tell other servers about your email preferences.
2 | a:
Define the DNS A record of the current (or specified) domain as a valid sending source.
a:mail.microsoft.com
3 | mx:
Define the DNS MX record of the current (or specified) domain as a valid sending source.
mx:mail.microsoft.com
4 | ip4:
Define this IPv4 address (or address range) as valid sending sources.
ip4:10.0.0.1
5 | include:
Include the SPF record for this domain as valid sending sources.
include:micro.soft
6 | -all / ~all / all
You can define a policy for ‘all other sources’ using the ‘all’ mechanism. You should place this at the end of your SPF record providing a ‘default’ for other sources. Use a qualifier to define the policy you want to apply.
-all
Limitations
A few things to note about SPF records is that you can have only a maximum of 10 lookups (requests) in your record. Additionally, it is always recommended to have only one SPF record per domain/subdomain to ensure that the proper information is being delivered to other servers.