SPF Records Demystified

Email spoofing is the practice of forging the ‘From’ address in an email to make it appear as though it was sent from a trusted source.  

Email spoofing is often used by malicious actors to trick an unsuspecting victim into clicking links that can ultimately lead to stealing information or spreading malware.  

A Sender Policy Framework (SPF) record is a DNS TXT record that helps prevent email spoofing.   

When an email is received, the recipient’s mail server will check the SPF record of the sender’s domain to verify whether the sending mail server is permitted to send emails on behalf of that domain. 

Note: On our secure hosting platform, SPF records are automatically added for all domains that use our nameservers. We also have one-click DNS settings for G Suite and Office 365. 

In this blog post, we’ll break down the components of SPF records, explain how they work, and highlight the benefits they can bring to your domain. 

How SPF Works – Step by Step 

1. Sender Initiates Email: When an email is sent, the sending SMTP server connects to the recipient’s mail server. 

2. Recipient Mail Server Extracts SPF Record: The recipient’s mail server extracts the domain the inbound email is being sent from and queries the DNS for the SPF record of that domain. 

3. SPF Record Lookup: The recipient’s server performs a DNS TXT record lookup for the sender’s domain, retrieving the SPF record, containing a list of authorised IP addresses or hostnames. 

4. Validation Against Sending Server’s IP: The recipient server compares the actual sending IP from the SMTP connection against the authorised list in the SPF record. 

5. SPF Evaluation and Result: The recipient server evaluates the SPF policy and assigns one of the following results: 

• Pass → The sending IP is authorised. 

• Fail → The sending IP is not authorised. 

• SoftFail → The sending IP is likely unauthorised but not strictly rejected. 

• Neutral → No definitive statement about authorisation. 

• None → No SPF record found for the domain. 

• PermError → SPF record is invalid or misconfigured. 

• TempError → Temporary DNS failure. 

6. Action Taken Based on SPF Result: If the SPF check fails, the recipient mail server may reject the email, mark it as spam, or apply additional filtering. 

SPF Record Syntax and Components 

An SPF record is a TXT record stored in the domain’s DNS, formatted similarly to the example shown below: 

v=spf1 ip4:192.168.1.1 ip6:2001:db8::1 include:spf.stackmail.com a mx -all 

v=spf1  

This indicates that the record follows SPF version 1, which is the only version in widespread use. 

ip4:192.168.1.1  

Authorises servers with the IPv4 address 192.168.1.1 to send emails on behalf of the domain. 

ip6:2001:db8::1  

Authorises servers with the IPv6 address 2001:db8::1 to send emails for the domain. 

include:spf.stackmail.com  

This means the recipient mail server should also check the SPF record of spf.stackmail.com. If that SPF record contains allowed IPs, they are included as authorised senders for this domain.  

a  

Authorises any IP address associated with the A record of the domain. If example.com has an A record pointing to 203.0.113.5, then that IP is allowed to send emails. 

mx  

Authorises any mail servers listed in the MX records of the domain to send emails. If the domain’s MX records point to mail.example.com, then the resolved IP(s) are authorised. 

-all  

This is a hard fail policy. Any sending mail server not explicitly listed in the SPF record should be rejected. This is a strict security measure to prevent spoofing. 

Limitations and Considerations 

DNS Lookup Limit  

SPF records allow a maximum of 10 DNS lookups including: include, a, mx etc. Due to this, it is essential to reduce the number of IP addresses, includes and MX records within your SPF record to only include items that are essential for email delivery. 

Cannot Handle Email Forwarding  

SPF checks the original sending domain, so forwarded emails often logically fail SPF since a new entity, not included in the original sender’s SPF Record, sent the forwarded email. 

DMARC and DKIM Are Recommended 

SPF should be used with DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) for better email authentication. 

The purpose of DKIM is to authenticate that the content of any DKIM-signed email message is not modified during the transfer between sender’s or ISP (Internet Service Provider) and receiver’s mail servers. 

DMARC is an email security protocol that helps prevent spoofing and other email threats. DMARC works with other email authentication standards, like SPF and DKIM, to verify the identity of email senders.