SPF records

How to properly generate an SPF record and understand its importance

Updated the:

Introduction to SPF

In today’s digital world, the security and reliability of email communications are more crucial than ever. Cybercriminals use various techniques to impersonate domains and send fraudulent emails, affecting companies’ reputations and customer trust. One of the most effective methods to prevent such abuses is the use of an SPF (Sender Policy Framework) record.

What Is an SPF Record?

The Sender Policy Framework (SPF) is an email authentication protocol that allows domain owners to specify which mail servers are authorized to send emails on their behalf. By publishing an SPF record in your domain’s DNS zone, you provide a list of approved servers. Receiving servers can then check this record to confirm that the email comes from a legitimate source, reducing the risks of spam and phishing.

The Children’s Analogy: Understanding SPF Simply

To illustrate how SPF works, imagine a school. Each child wears a badge indicating their class and name. When a child enters the school, teachers can easily verify their identity thanks to this badge. If a stranger without a badge tries to enter, the teachers know they are not part of the school and can act accordingly.

In the same way, SPF acts like an identification badge for your emails. It indicates to receiving servers that the email indeed comes from a server authorized by the domain owner. If an email is sent without this “badge,” it may be marked as suspicious or rejected.

SPF validation in visual graph

Where to Place Your SPF Record?

The SPF record is added in your domain’s DNS zone as a TXT record. This record contains the necessary information for mail servers to verify the authenticity of emails sent from your domain. It’s essential to place it correctly in your DNS for it to be effective.

Important Points Before Creating Your SPF Record

Before creating your SPF record, it’s crucial to gather certain information to ensure it’s complete and accurate.

Identify Your Email Sending Services

You need to identify all sources that are authorized to send emails using your domain name. Here are some examples, although there are many more:

  • Email marketing services: If you use services like CyberImpact, Mailchimp, or SendinBlue, you need to include them in your SPF record.
  • Third-party services: Services such as Microsoft Exchange, Gmail, or Zoho Mail send emails using their own servers and must also be included.
  • Your website’s servers: If your website sends emails (e.g., order confirmations, password resets), the IP address or hostname of the server must be added.

Know Your Web Hosting IP Address

In many cases, especially if you use control panels like cPanel, Plesk, or DirectAdmin, your web server’s IP address is used for sending emails. Often, it’s the server’s main address, and it’s important to include it in your SPF record so that emails sent from your website aren’t marked as spam.

Do Not Include Your ISP’s IP Address

It’s common to think that you need to add the IP address assigned to you by your Internet Service Provider (ISP) like Bell, Videotron, or others. However, unless you’re sending emails directly from a mail server hosted on your personal internet connection (which is rare and generally discouraged), it’s not necessary to include this IP address.

The Different Types of SPF Mechanisms and Their Order

An SPF record is composed of several mechanisms and modifiers that define the sources authorized to send emails for your domain and how to handle emails that do not match.

SPF Mechanisms

  • include: Allows you to include the SPF records of another domain. Used for third-party services.
  • a: Authorizes the IP address associated with an A record (IPv4 address) of your domain.
  • mx: Authorizes the IP addresses of your domain’s mail servers (MX records).
  • ip4:/ip6: Specifies directly an IP address or a block of IP addresses in IPv4 or IPv6.
  • exists: Checks for the existence of a specific DNS record.
  • ptr: Checks if the reverse DNS (PTR) of the sender’s IP address matches your domain.
  • redirect: Applies the SPF policy of another domain.
  • all : Matches all IP addresses not specified by previous mechanisms.

Modifiers: +, -, ~, ?

  • + (Pass): The server is authorized to send emails (default if no sign is specified).
  • - (Fail): The server is not authorized, and emails must be rejected.
  • ~ (SoftFail): The server is probably not authorized; emails may be accepted but marked as suspicious.
  • ? (Neutral): No opinion is given on the server’s status; emails are accepted without judgment.

How SPF Mechanisms Are Evaluated

The mechanisms in an SPF record are evaluated from left to right, one by one, until a mechanism matches the sender’s IP address or all mechanisms have been checked. Once a mechanism matches, the associated result (Pass, Fail, SoftFail, Neutral) is applied, and the evaluation stops there.

Consequences of the Order of Mechanisms

  • Specific mechanisms first: It’s recommended to place the most specific mechanisms at the beginning of the SPF record. This allows for quick identification of legitimate sources and reduces processing time.
  • Generic mechanisms next: More generic or global mechanisms, like include for third-party services, come after the specific mechanisms.
  • End with all: The all mechanism should always be placed last. Since it matches all IP addresses not previously specified, placing it earlier would prevent the evaluation of subsequent mechanisms.

Incorrectly Ordered SPF Record:

v=spf1 all include:mailchimp.com a -all
  • Here, the all mechanism is placed at the beginning. This means that all emails will be treated according to the modifier associated with all, and the following mechanisms (include:mailchimp.com, a) will never be evaluated. This renders the SPF record ineffective.

Correctly Ordered SPF Record:

v=spf1 a include:mailchimp.com -all
  • Here, the specific mechanisms (a, include:mailchimp.com) are evaluated first, and the -all mechanism at the end ensures that all other unauthorized emails will be rejected.

Recommendations for the Order of SPF Mechanisms

  1. Start with mechanisms specific to your domain: Use ip4, ip6, a, mx to specify your own servers.
  2. Add include mechanisms for third-party services: Incorporate the servers of services you use for sending emails.
  3. Place generic mechanisms if necessary: Mechanisms like ptr or exists can be used but are less common.
  4. Always end with all with the appropriate modifier: This defines the default behaviour for all other unspecified IP addresses.

SPF Macros: Understanding Their Role and Use

What Is an SPF Macro?

SPF macros are dynamic variables that allow you to insert contextual information into the mechanisms and modifiers of your SPF record. They offer additional flexibility to create more sophisticated SPF policies by using data such as the sender’s IP address, domain name, or email address.

Macro Variables

Here are the most common macro variables:

  • %{s}: The sender’s full email address (the “MAIL FROM”).
  • %{l}: The local part of the email address (before the @).
  • %{o}: The sender’s domain name (after the @).
  • %{d}: The domain name used in the SPF record (generally identical to %{o}).
  • %{i}: The sender’s IP address.
  • %{p}: The PTR domain name (reverse DNS) of the sender’s IP address.
  • %{h}: The HELO hostname provided by the sender.

These variables can be used with modifiers to extract specific parts or perform transformations.

Examples of Using SPF Macros

Exemple 1: Using %{i} for Custom Verification

v=spf1 exists:%{i}._spf.example.com -all
  • %{i} is replaced by the sender’s IP address.
  • The exists mechanism checks if a DNS record exists for <IP_address>._spf.example.com.
  • This can be useful if you have a dynamic list of authorized IP addresses and manage the corresponding DNS records.

Exemple 2: Verification Based on the Local Part of the Email Address

v=spf1 include:%{l}._mail.example.com -all
  • %{l} is replaced by the local part of the email address (e.g., “john” in “john@example.com”).
  • The include mechanism incorporates SPF policies specific to each user, which can be useful in environments where sending permissions vary by user.

Exemple 3: Advanced Use with the redirect Mechanism

v=spf1 redirect=%{d}.spf.example.net
  • %{d} is replaced by the domain name (e.g., “example.com”).
  • The redirect mechanism indicates that the SPF evaluation should continue using the SPF record of example.com.spf.example.net.

Precautions When Using Macros

  • Increased Complexity: Using macros makes your SPF record more complex, which can lead to maintenance and understanding difficulties.
  • Length Limits: DNS records have a maximum length. Macros can lengthen your SPF record and potentially exceed these limits.
  • Performance: Macros can increase the number of DNS queries needed to evaluate an email, which can affect performance and reach the limit of 10 DNS “lookups” imposed by the SPF protocol.
  • Security: Misusing macros can introduce vulnerabilities, allowing unauthorized senders to bypass your SPF policies.

Best Practices

  • Use Macros Sparingly: Reserve them for cases where they provide real added value.
  • Test Carefully: After implementing macros, use SPF validation tools to verify that your record works as intended.
  • Document Your Configuration: Clearly explain why and how you use macros to facilitate future maintenance.

Creating Your Own SPF Record: Concrete Examples

Let’s proceed to create your SPF record based on your specific needs.

Exemple 1: Sending from the Website and Mailchimp

If you send emails from your hosted website and use Mailchimp for your email marketing campaigns:

v=spf1 a include:servers.mcsv.net -all

Explanations:

  • a: Authorizes the IP address associated with your domain (your website).
  • include:servers.mcsv.net: Includes Mailchimp’s servers.
  • -all: Rejects all other unspecified servers.

Exemple 2: Using Microsoft Exchange and Your Website

If you use Microsoft Exchange Online for your professional email:

v=spf1 a include:spf.protection.outlook.com -all

Explanations:

  • a: Authorizes the IP address associated with your domain (your website).
  • include:spf.protection.outlook.com: Includes Microsoft’s Exchange servers.
  • -all: Rejects all other unspecified servers.

Exemple 3: Custom Domain with Gmail and a Contact Form on Your Website

If you use Google Workspace (formerly G Suite) for your domain:

v=spf1 a include:_spf.google.com -all

Explanations:

  • a: Authorizes the IP address associated with your domain (your website).
  • include:_spf.google.com: Includes Gmail’s servers.
  • -all: Rejects all other unspecified servers.

Exemple 4: Exclusive Sending from the Web Server

If you only send emails from your own web server without using third-party services:

v=spf1 a mx -all

Explanations:

  • a: Authorizes the IP address of your domain.
  • mx: Authorizes your mail servers.
  • -all: Rejects all other unspecified servers.

Exemple 5: Combination of Multiple Third-Party Services

If you use multiple services like Mailchimp and SendGrid, in addition to your website:

v=spf1 a include:servers.mcsv.net include:sendgrid.net -all

Explanations :

  • a: Authorizes the IP address associated with your domain (your website).
  • include:servers.mcsv.net: Includes Mailchimp’s servers.
  • include:sendgrid.net: Includes SendGrid’s servers.
  • -all: Rejects all other unspecified servers.

Exemple 6: No Emails Authorized for This Domain

If you have a domain that should not send emails, as is the case for aliases, you can block all sending:

v=spf1 -all

Explanations:

  • -all: Rejects all servers.

Important Note: It’s crucial not to exceed the maximum number of 10 DNS “lookups” in your SPF record. Each include, a, mx, ptr mechanism can result in an additional DNS query. An SPF record that’s too complex may be ignored by receiving servers.

In Summary

The SPF record is a powerful tool to secure your email communications. By clearly specifying which servers are authorized to send emails on your behalf, you:

  • Reduce the risk of your emails being marked as spam.
  • Protect your domain against identity theft.
  • Improve the trust of your clients and partners.

It’s essential to understand the SPF mechanisms well and to create a record adapted to your situation. Don’t forget to update it if you add or remove email sending services.

Note: The SPF record is one out of three records that will help protect your emails address. Do not forget to also check out our blog about the DMARC record and about the DKIM record.

Need Help?

Configuring an SPF record may seem complex, but you’re not alone. Our technical support service is always available to assist you. Don’t hesitate to contact us with any questions or to get help in setting up your SPF record.


By securing your emails, you’re taking a significant step toward protecting your business and maintaining reliable communication with your clients. Take the time to properly configure your SPF record and enjoy better deliverability of your emails.


Commentaires

Leave a Reply

Your email address will not be published. Required fields are marked *