SPF record stands for Sender Policy Framework. SPF is a very useful mechanism in the fight against Spamming, spoofing to reduce spam and spoofing of email messages. SPF is a mechanism through which a domain owner can define and instruct other mail servers that which mail servers are authorized to send email addressed from the organization’s domain name. We can say it’s simply opposite to MX resource record: an MX record tells other mail servers where to send email addressed to a particular domain name, while SPF record tells other SPF compatible mail servers that from which email servers can send email messages addressed from a particular domain name.
SPF record is not a separate DNS resource record but it’s a well crafted TXT resource record. Examples are as below:
gopalthorve.com. IN TXT "v=spf1 +a:mail.gopalthorve.com +a:mail2.gopalthorve.com -all"
Here, the tag “v=spf1” at the beginning of the record specific-data identifies this TXT record as an SPF record. The next two field specify that mail addressed from gopalthorve.com can come from any of the ip addresses of the hosts mail.gopalthorve.com or mail2.gopalthorve.com. The leading plus signs are qualifiers, and indicates that email from these hosts’ IP addresses should be allowed.
SPF Qualifiers
+
Pass. A mailer that matches is a valid sender.
–
Fail. A mailer that matches is not a valid sender.
~
SoftFail. A mailer that matches probably isn’t a valid sender and so it should be checked carefully.
?
Neutral. Has no effect.
The default qualifier is + (pass) and can be omitted. The field, -all, tells mailers to deny (fail) all every other sender of gopalthorve.com email.
To allow mailers from all the MX record for a domain we can shorten the SPF as below:
gopalthorve.com. IN TXT "v=spf1 +mx -all"
To allow mailers from all the MX record for a domain as well as from A record of the domain we can write below SPF record:
gopalthorve.com. IN TXT "v=spf1 +a +mx -all"
Common mechanisms used in SPF TXT record:
a
Specifies the domain name whose ip address or addresses are authorized to send emails from the owner domain name.
mx
Authorizes all the mail servers pointed by MX records to send emails from the owner domain name.
ip4
Specifies IPv4 address of a mail server is authorized to send emails from the owner domain name. We can also specify network in CIDR notation (e.g. 10.0.0.0/24).
ip6
Specifies IPv6 address of a mail server authorized to send emails from the owner domain name.
ptr
Requires that a PTR record exists for the sending mail server’s address.
How SPF reduces spam and spoofing?
Let use take an example how implementation of SPF record reduce spam and spoofing addressed from your domain name.
SPF Record of gopalthorve.com is:
gopalthorve.com. IN TXT "v=spf1 +a +mx -all"
A record of gopalthorve.com is:
gopalthorve.com. IN A 173.248.140.180
MX record of gopalthorve.com is:
mail.gopalthorve.com. IN A 173.248.140.173
gopalthorve.com. IN MX 10 mail.gopalthorve.com.
Here, SPF record of gopalthorve.com tells SPF compatible receiving email servers that accept email from gopalthorve.com email addresses only if it originates from IP addresses pointed by A domain record and all MX records i.e. only from IP address 173.248.140.180 or 173.248.140.173. If an email originates for gopalthorve.com from any other IP address, the SPF compatible receiving mail server will simply reject the emails with error message.