What are SPF (Sender Policy Framework) records for emails?

    by Irina Podorvan
    25.01.2023

    idea

    The Internet was designed as a closed military network, over time the network became open, miscalculations surfaced, the result of which is DOS attacks, DNS name spoofing, worms, spam and much more. These are all realities of today's Internet, as well. The sender policy framework is just one of the attempts to fix the situation. So, if you use email explorer, you understand that modern SPF is more about the protection of the email recipients from spam attacks.

    How does SPF record work?

    What are spf records? SPF (Sender Policy Framework) is a DNS spf records containing a list of trusted servers from which mail of a given domain name system can be sent, and information about the mechanism for processing letters sent from other servers via email logger. Correctly configuring SPF will explain spf record to reduce the likelihood of spam being sent by scammers on your behalf.

     SPF records in dns is an extension to the protocol for sending email over SMTP. Using SPF, a domain owner can specify a list of servers that will be able to send mail messages with a sender address in that domain. And at an early stage of development, SPF just could not be suitable to be allowed to send mass distribution.

    What does an SPF record look like?

    Wdoes an spf record look like? SPF records cannot be over 255 characters in length and cannot include more than ten “include” statements, also known as “lookups.” Here's an example of what your record might look like: v=spf1 ip4:1.2. 3.4 ip4:2.3. 4.5 include:thirdparty.com -all.

    Everything is not as simple as it seems at first glance. There are a few things to keep in mind. Most importantly, to define spf record means to create still a collective system, that is, for its most efficient operation, it is necessary that the sender's and recipient's mail systems use it. And the more such systems there are, the more likely it is that spammer messages sent supposedly from your domain will be filtered out. 

    Why are SPF records important?

    How do spf records work? The SPF check gives some probability that the sender's address has not been spoofed, which can then be taken into account in the anti-spam filter rule. Of course, it costs nothing for a spammer to create his domain, in which messages can be sent from any address, but this requires additional capital investments, time costs, and some legalization. This can make life difficult for a spammer, especially given the tightening of legislation against spam. In addition, today, the lion's share of spam comes from hacked computers and with fake returns addresses and SPF is definitely aimed at identifying such mail.

    Thus, the Sender Policy Framework (SPF) technology helps protect your domain from spoofing and prevent emails sent from your organization from getting into the Spam folder. SPF defines mail servers authorized to send mail on behalf of a domain. Mail servers that accept emails from your domain can use SPF to verify that they are sent from servers you allow.

    If SPF is not used, the system is more likely to mark emails from an organization or domain as spam.

    How to know if an SPF email record is used in your emails?

    For example, if both the recipient and the sender see this:

     Received-SPF: pass (google.com: domain of vasja@gmail.com

    designates 199.099.099.099 as permitted sender).

    This indicates the use of SPF by both. Analyzing spam in several of my mailboxes over several months, you may notice that in sites using SPF, you will never see a message sent from addresses like gmail.com and others, that is, those that support SPF. Where this technology is not used, you can find messages from any address.

    At the same time, numerous filtering methods have been developed that use statistical analysis of the content of the letter (here, the most popular solutions are based on the algorithm based on Bayes' theorem), systems for determining signs of message mass character, as well as various options for color lists: DNS Black List (DNSBL), gray and white lists, etc. 

    The major framework that describes popular methods and experiments are stored nowadays in RFC 4408, as well as other protocols available for public use.

    For example, The Sender Policy Framework (SPF) is an open standard and is defined in RFC 4408 "Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1" or SPFv1, which was published in April 2006. RFC 4408 also defines several possible outcomes for checking the legitimacy of a sender address during an SMTP request, and so much more.

    Why should you add an SPF record to your domain?

    On the other hand, SPF technology is like a mirror image of DNSBL. The task of the latter is to denigrate the sender of the message. To do this, all spam addresses (or those suspected of such actions) are entered into the database, if a letter is sent from an address in this database, it is rejected. The problem is that it's impossible to trace the addresses of spammers, but there are known cases when normal senders got into the block lists.

    What is dns spf record here? SPF does not try to track down spammers; on the contrary, the resources allowed in terms of this technology can be thought of as a kind of white list analogue. Therefore, SPF can be viewed not as an attempt to “denigrate” the sender, but rather, to indicate that the sender is legal and, from the point of view of the domain administrator, has the full right to send electronic messages. If the client's server is hacked and spam was sent from it for some time, then removing the address from the black list is an order of magnitude more difficult than allowing mail to be sent using SPF.

    How to create an SPF record?

    It is worth creating your own domain in which to allow sending messages from any address, but this requires additional investments, time costs and some legalization. This can make life difficult for a spammer, especially given the tightening of legislation against spam. In addition, today the lion's share of spam leaves hacked computers with fake return addresses, and SPF is precisely aimed at identifying such mail.

    To check the legitimacy of the sender, the SPF system requires three parameters: HELO, MAIL FROM, and its IP address. The key components of such a system are the presence of an SPF record and support for the extension by the mail server. Let's first analyze what a domain administrator must do in order to support SPF. Enabling SPF support in DNS is very simple. An entry is a simple string in the DNS database containing directives. For example, in BIND and compatible server zone text entry formats, the policy description would look like this example spf records:

    example.com. IN TXT "v=spf1 +mx ip4:192.168.0.0/24 a:mail.example.com -all"

    that is:

    • SPFv1 protocol is supported – v=spf1;
    • mail from the example.com domain can come from addresses belonging to the 192.168.0.0 network, from the mail.example.com server and MX servers of this domain (+mx), all others (all) will receive Fail and these addresses will not be able to pass the check ("-").

    Therefore, a new record type was proposed - SPF. The policy in it looks similar:

    example.com. IN SPF "v=spf1 +mx ip4:192.168.0.0/24 a:mail.example.com -all"

    Although, for compatibility, the RFC recommends using both of these fields at the same time. 

    As can be seen from the example, the relationship of the owner to a particular address is indicated using the classifiers mentioned above. The Pass ("+") qualifier is set by default and can be omitted when writing, although it is better to use it for clarity. If the domain owner has determined the resources known to him, but does not want to clearly set the terms of service of the others, then in the rule written above, you can use "~all" or "?all" instead of the explicit prohibition of "-all". Just a case of creating a "white" list using SPF. And note that everything specified after all will not be tested, so all should be the last in the entry.

    Another kind of mechanism, defined as designated sender, allows a policy to specify a range of sender addresses for messages. Several options are possible:

    • a (a[:hostname/CIDR}) – all IP addresses of hostname computer;
    • mx (mx[:domain/CIDR]) – all IP addresses of MX servers in the domain; if there is only one MX record in the domain, it is recommended to specify it explicitly, that is, through "a"; it is not recommended to bypass more than 10 records during one request;
    • ptr (ptr[:domain]) – IP addresses of PTR records that point to domain; as with MX, it is not recommended to pass more than 10 entries;
    • ip4/ip6 (ip4:ip4-network/CIDR) – IPv4 or IPv6 range network, it is not allowed to omit parts of the address like 192.168.0., default CIDR is 32 (IPv4) and 128 (IPv6);
    • exists is a very useful feature, but it also causes a PermError. Allows the administrator to define permissions using complex DNS queries. How to compose macros correctly is described in section 8 of RFC 4408.

    If the number of receiving mail server is small, then when compiling an SPF record, you can use alternative resources like our tools. This is done simply: enter the domain and click "Begin", the DNS server response will be analyzed and you will be asked to fill in the rest of the fields. 

    Final thoughts

    One of the problems with how spf records work is its use when forwarding messages during the sending process, one of the mail domains will not be specified as allowed. Such cases are not rare, and forwarding is used to collect messages in one mailbox. That’s why it’s essential for you to be curious about how spf works email.

    If the whole process occurs within the organization, this problem can be solved by disabling SPF checking on all servers except the input one, and adding backup mail servers to SPF lists. 

    With external correspondents, the situation is not so simple. Most of the solutions on what is an spf record proposed today (substitution of the sender, transfer of additional information about the real sender, and others) involve software modification. Although it can be solved by fine-tuning SPF policies using the existing mechanism, under a condition that messages received directly are more trusted, forwarded ones are less trusted.

    Based on the process, SPF technology and what does an spf record do should by no means be called a universal anti-spam tool. Only when used in conjunction with other useful solutions.

    Though spam is hard to beat, only a combination of legal and technical methods is likely to give the best result. From a legal point of view, in most countries, spam is extremely outlawed. Technically, the ability to identify a user using SPF or similar solutions will not eliminate spam, but it can stop a significant part of it. There is only one problem: today, only a tiny part of domains use SPF records or are denied by a rule like ~all. It’s up to you to choose which option to set. Good luck!

    Written by:
    Irina Podorvan
    Back to blog
    Comments (0)
    Subscribe to our news

    Subscribe to us and you will know about our latest updates and events as just they will be presented