Introduction to SPF
In today’s digital world, the security and reliability of email communications are more crucial than ever. Cybercriminals use various techniques to impersonate domains and send fraudulent emails, affecting companies’ reputations and customer trust. One of the most effective methods to prevent such abuses is the use of an SPF (Sender Policy Framework) record.
What Is an SPF Record?
The Sender Policy Framework (SPF) is an email authentication protocol that allows domain owners to specify which mail servers are authorized to send emails on their behalf. By publishing an SPF record in your domain’s DNS zone, you provide a list of approved servers. Receiving servers can then check this record to confirm that the email comes from a legitimate source, reducing the risks of spam and phishing.
The Children’s Analogy: Understanding SPF Simply
To illustrate how SPF works, imagine a school. Each child wears a badge indicating their class and name. When a child enters the school, teachers can easily verify their identity thanks to this badge. If a stranger without a badge tries to enter, the teachers know they are not part of the school and can act accordingly.
In the same way, SPF acts like an identification badge for your emails. It indicates to receiving servers that the email indeed comes from a server authorized by the domain owner. If an email is sent without this “badge,” it may be marked as suspicious or rejected.
Where to Place Your SPF Record?
The SPF record is added in your domain’s DNS zone as a TXT record. This record contains the necessary information for mail servers to verify the authenticity of emails sent from your domain. It’s essential to place it correctly in your DNS for it to be effective.
Important Points Before Creating Your SPF Record
Before creating your SPF record, it’s crucial to gather certain information to ensure it’s complete and accurate.
Identify Your Email Sending Services
You need to identify all sources that are authorized to send emails using your domain name. Here are some examples, although there are many more:
- Email marketing services: If you use services like CyberImpact, Mailchimp, or SendinBlue, you need to include them in your SPF record.
- Third-party services: Services such as Microsoft Exchange, Gmail, or Zoho Mail send emails using their own servers and must also be included.
- Your website’s servers: If your website sends emails (e.g., order confirmations, password resets), the IP address or hostname of the server must be added.
Know Your Web Hosting IP Address
In many cases, especially if you use control panels like cPanel, Plesk, or DirectAdmin, your web server’s IP address is used for sending emails. Often, it’s the server’s main address, and it’s important to include it in your SPF record so that emails sent from your website aren’t marked as spam.
Do Not Include Your ISP’s IP Address
It’s common to think that you need to add the IP address assigned to you by your Internet Service Provider (ISP) like Bell, Videotron, or others. However, unless you’re sending emails directly from a mail server hosted on your personal internet connection (which is rare and generally discouraged), it’s not necessary to include this IP address.
The Different Types of SPF Mechanisms and Their Order
An SPF record is composed of several mechanisms and modifiers that define the sources authorized to send emails for your domain and how to handle emails that do not match.
SPF Mechanisms
include
: Allows you to include the SPF records of another domain. Used for third-party services.a
: Authorizes the IP address associated with an A record (IPv4 address) of your domain.mx
: Authorizes the IP addresses of your domain’s mail servers (MX records).ip4:/ip6
: Specifies directly an IP address or a block of IP addresses in IPv4 or IPv6.exists
: Checks for the existence of a specific DNS record.ptr
: Checks if the reverse DNS (PTR) of the sender’s IP address matches your domain.redirect
: Applies the SPF policy of another domain.all
: Matches all IP addresses not specified by previous mechanisms.
Modifiers: +
, -
, ~
, ?
+
(Pass): The server is authorized to send emails (default if no sign is specified).-
(Fail): The server is not authorized, and emails must be rejected.~
(SoftFail): The server is probably not authorized; emails may be accepted but marked as suspicious.?
(Neutral): No opinion is given on the server’s status; emails are accepted without judgment.
How SPF Mechanisms Are Evaluated
The mechanisms in an SPF record are evaluated from left to right, one by one, until a mechanism matches the sender’s IP address or all mechanisms have been checked. Once a mechanism matches, the associated result (Pass, Fail, SoftFail, Neutral) is applied, and the evaluation stops there.
Consequences of the Order of Mechanisms
- Specific mechanisms first: It’s recommended to place the most specific mechanisms at the beginning of the SPF record. This allows for quick identification of legitimate sources and reduces processing time.
- Generic mechanisms next: More generic or global mechanisms, like
include
for third-party services, come after the specific mechanisms. - End with
all
: Theall
mechanism should always be placed last. Since it matches all IP addresses not previously specified, placing it earlier would prevent the evaluation of subsequent mechanisms.
Incorrectly Ordered SPF Record:
v=spf1 all include:mailchimp.com a -all
- Here, the
all
mechanism is placed at the beginning. This means that all emails will be treated according to the modifier associated withall
, and the following mechanisms (include:mailchimp.com
,a
) will never be evaluated. This renders the SPF record ineffective.
Correctly Ordered SPF Record:
v=spf1 a include:mailchimp.com -all
- Here, the specific mechanisms (
a
,include:mailchimp.com
) are evaluated first, and the-all
mechanism at the end ensures that all other unauthorized emails will be rejected.
Recommendations for the Order of SPF Mechanisms
- Start with mechanisms specific to your domain: Use
ip4
,ip6
,a
,mx
to specify your own servers. - Add
include
mechanisms for third-party services: Incorporate the servers of services you use for sending emails. - Place generic mechanisms if necessary: Mechanisms like
ptr
orexists
can be used but are less common. - Always end with
all
with the appropriate modifier: This defines the default behaviour for all other unspecified IP addresses.
SPF Macros: Understanding Their Role and Use
What Is an SPF Macro?
SPF macros are dynamic variables that allow you to insert contextual information into the mechanisms and modifiers of your SPF record. They offer additional flexibility to create more sophisticated SPF policies by using data such as the sender’s IP address, domain name, or email address.
Macro Variables
Here are the most common macro variables:
- %{s}: The sender’s full email address (the “MAIL FROM”).
- %{l}: The local part of the email address (before the
@
). - %{o}: The sender’s domain name (after the
@
). - %{d}: The domain name used in the SPF record (generally identical to
%{o}
). - %{i}: The sender’s IP address.
- %{p}: The PTR domain name (reverse DNS) of the sender’s IP address.
- %{h}: The HELO hostname provided by the sender.
These variables can be used with modifiers to extract specific parts or perform transformations.
Examples of Using SPF Macros
Exemple 1: Using %{i}
for Custom Verification
v=spf1 exists:%{i}._spf.example.com -all
%{i}
is replaced by the sender’s IP address.- The
exists
mechanism checks if a DNS record exists for<IP_address>._spf.example.com
. - This can be useful if you have a dynamic list of authorized IP addresses and manage the corresponding DNS records.
Exemple 2: Verification Based on the Local Part of the Email Address
v=spf1 include:%{l}._mail.example.com -all
%{l}
is replaced by the local part of the email address (e.g., “john” in “john@example.com”).- The
include
mechanism incorporates SPF policies specific to each user, which can be useful in environments where sending permissions vary by user.
Exemple 3: Advanced Use with the redirect
Mechanism
v=spf1 redirect=%{d}.spf.example.net
%{d}
is replaced by the domain name (e.g., “example.com”).- The redirect mechanism indicates that the SPF evaluation should continue using the SPF record of
example.com.spf.example.net
.
Precautions When Using Macros
- Increased Complexity: Using macros makes your SPF record more complex, which can lead to maintenance and understanding difficulties.
- Length Limits: DNS records have a maximum length. Macros can lengthen your SPF record and potentially exceed these limits.
- Performance: Macros can increase the number of DNS queries needed to evaluate an email, which can affect performance and reach the limit of 10 DNS “lookups” imposed by the SPF protocol.
- Security: Misusing macros can introduce vulnerabilities, allowing unauthorized senders to bypass your SPF policies.
Best Practices
- Use Macros Sparingly: Reserve them for cases where they provide real added value.
- Test Carefully: After implementing macros, use SPF validation tools to verify that your record works as intended.
- Document Your Configuration: Clearly explain why and how you use macros to facilitate future maintenance.
Creating Your Own SPF Record: Concrete Examples
Let’s proceed to create your SPF record based on your specific needs.
Exemple 1: Sending from the Website and Mailchimp
If you send emails from your hosted website and use Mailchimp for your email marketing campaigns:
v=spf1 a include:servers.mcsv.net -all
Explanations:
a
: Authorizes the IP address associated with your domain (your website).include:servers.mcsv.net
: Includes Mailchimp’s servers.-all
: Rejects all other unspecified servers.
Exemple 2: Using Microsoft Exchange and Your Website
If you use Microsoft Exchange Online for your professional email:
v=spf1 a include:spf.protection.outlook.com -all
Explanations:
a
: Authorizes the IP address associated with your domain (your website).include:spf.protection.outlook.com
: Includes Microsoft’s Exchange servers.-all
: Rejects all other unspecified servers.
Exemple 3: Custom Domain with Gmail and a Contact Form on Your Website
If you use Google Workspace (formerly G Suite) for your domain:
v=spf1 a include:_spf.google.com -all
Explanations:
a
: Authorizes the IP address associated with your domain (your website).include:_spf.google.com
: Includes Gmail’s servers.-all
: Rejects all other unspecified servers.
Exemple 4: Exclusive Sending from the Web Server
If you only send emails from your own web server without using third-party services:
v=spf1 a mx -all
Explanations:
a
: Authorizes the IP address of your domain.mx
: Authorizes your mail servers.-all
: Rejects all other unspecified servers.
Exemple 5: Combination of Multiple Third-Party Services
If you use multiple services like Mailchimp and SendGrid, in addition to your website:
v=spf1 a include:servers.mcsv.net include:sendgrid.net -all
Explanations :
a
: Authorizes the IP address associated with your domain (your website).include:servers.mcsv.net
: Includes Mailchimp’s servers.include:sendgrid.net
: Includes SendGrid’s servers.-all
: Rejects all other unspecified servers.
Exemple 6: No Emails Authorized for This Domain
If you have a domain that should not send emails, as is the case for aliases, you can block all sending:
v=spf1 -all
Explanations:
-all
: Rejects all servers.
Important Note: It’s crucial not to exceed the maximum number of 10 DNS “lookups” in your SPF record. Each include
, a
, mx
, ptr
mechanism can result in an additional DNS query. An SPF record that’s too complex may be ignored by receiving servers.
In Summary
The SPF record is a powerful tool to secure your email communications. By clearly specifying which servers are authorized to send emails on your behalf, you:
- Reduce the risk of your emails being marked as spam.
- Protect your domain against identity theft.
- Improve the trust of your clients and partners.
It’s essential to understand the SPF mechanisms well and to create a record adapted to your situation. Don’t forget to update it if you add or remove email sending services.
Note: The SPF record is one out of three records that will help protect your emails address. Do not forget to also check out our blog about the DMARC record and about the DKIM record.
Need Help?
Configuring an SPF record may seem complex, but you’re not alone. Our technical support service is always available to assist you. Don’t hesitate to contact us with any questions or to get help in setting up your SPF record.
By securing your emails, you’re taking a significant step toward protecting your business and maintaining reliable communication with your clients. Take the time to properly configure your SPF record and enjoy better deliverability of your emails.
Leave a Reply