What is SPF?

Sender Policy Framework or SPF is an email security mechanism designed to ensure that emails can only be sent from specified senders/email servers.

Why do you need SPF?

Because of limitations from the SMTP protocol, SPF is needed to ensure that we can authorise who is allowed to send email on our behalf/domain.

How do you implement SPF for your domain and what makes up an SPF record?

SPF is enabled and implemented by creating TXT records for your domain/subdomains at your DNS provider.
A typical SPF TXT DNS record looks like the following:

“v=spf1 include:amazonses.com ip4:192.168.0.1/32 ~all”

Lets look into this further. Firstly v=spf1 is what defines the TXT record as SPF. All SPF records must start with this statement. The other following items within an SPF record are called mechanisms, SPF records can have multiple mechanisms.

include:domain.com
This mechanism lists domains (which are typically mail servers) that are authorised to send email on your behalf. You can have multiple include mechanism statements.

ip4:ipv4 address/prefix
This mechanism allows you to list IPv4 addresses or address ranges that are authorised/valid senders.

ip6:ipv6 address/prefix
The same above but IPv6 addresses.

mx / mx:domain.com
The mx mechanism can either be called as mx on its own, which indicates that the current domain is a valid sender, or can include another domain as a valid sender.

a / a:domain.com
Like the above, the a mechanism works similarly, this defines the A record of the current domain as a valid sender, or as another domain which you specify.

all
The all mechanism matches everything. This is essentially a catch statement and must be placed at the end of the SPF TXT record. This mechanism states “everything else not specified is NOT authorised”.
This can be called in two ways

  • “softfail” called as ~
  • “fail” called as -

These both mean “NOT PASS”.

Things to keep in mind

  • When using SPF, there is a limited amount of DNS lookups which can take place. This limit is 10 DNS lookups.
  • Another SPF record limitation is that no SPF record can have a string longer than 255 characters. If this is longer than 255 characters, it will fail all SPF authentication checks.
  • To check the SPF record you can resolve the TXT DNS record
    • Windows: nslookup -q=TXT example.com
    • Linux/Mac: dig example.com TXT +short

Summary

Sender Policy Framework or SPF is a mechanism which authenticates and specifies who is able to send email on your behalf.
It is implemented by creating an SPF TXT record for your domain.