In today’s messaging world, it’s probably a good idea to start looking into how you can protect your domain from not only receiving spam messages, but also making sure your domain is protected from sending the spam. An SPF record won’t prevent your domain from sending spam, but it can assist in preventing others from sending spam AS YOU and is a good first step in configuring email protections. An SPF record is a specially formatted DNS TXT record that tells the world which IPs or hosts are allowed to send mail on behalf of your domain.
When setting up an SPF record, it is really important that you know all the IPs or server host names that will send valid email for your domain. For example, it is common to use a 3rd party to send marketing emails from your domain. In this instance, you should ensure that the 3rd party marketing server addresses have been added to the domain SPF record.
Lets look at the ‘parts’ that make up an SPF record. Mechanisms are used to list the hosts that will be included in your SPF record, and the qualifiers are used to determine how those entries are treated.
The available Mechanisms are:
- all – used to list all internal and external addresses. Typically used at the end of the record.
- ipv4 – used to list ipv4 IPs and IP ranges.
- ipv6 – used to list IPv6 IPs and IP ranges.
- a – used to list a host by a DNS A record.
- mx– uses to list a domains MX records.
- ptr – used to list a reverse DNS query of the sending IP. (Typically not used because its a very expensive DNS request)
- exists – Checks to see if the domain listed exists.
- include – checks the IP against an SPF record of a separate domain.
The 4 options we have for Qualifiers are:
- Pass (+) – The address has passes the check and will be delivered. (This is the default and the ‘+’ is not specifically needed)
- Neutral (?) – The address doesn’t’ really pass or fail a check. The server can do whatever it wants. It will most likely deliver the message.
- Soft Fail (~) – The address fails the check, but will still be delivered after making the message.
- Fail (-) – The address fails the check, the message won’t be delivered.
Now that we have collected the host list and know what makes up an SPF record, lets build one. The above information can be a little confusing so it’s likely easiest to use a SPF generator to create the syntax for the txt record. A quick web search will provide you with several options, but a good one spfwizard.net. Now it’s just simply a matter of answering the questions to create the needed record.
Lets build an SPF record for ehloexchange.net with the assumptions that I send from the same IPs that my MX record uses. That I want to include a 3rd party marketing company that uses an IP4 range of 18.104.22.168/28. And I want to insure that any IP NOT listed results in an SPF failure. The record I would need to create would look like:
“v=spf1 mx ip4:22.214.171.124/28 -all”
v=spf1 will identify the TXT record specifically as an SPF record.
mx (+ is assumed) says that if the sending address matches the domain MX records it passes the check.
ipv4:126.96.36.199/28 (+ is assumed) says that if the sending address is included in the range it passes the check.
-all means that any other IP will fail the check.
All that’s left is to add that string to a TXT record in public DNS for the domain.