SPF records

Last change on 2021-09-16 • Created on 2020-03-25 • ID: DN-6D149

Introduction

SPF stands for Sender Policy Framework and is a technique for preventing email spam or bogus virus emails.

SPF incorporates a special entry into the zone file of the name server for the sender domain, which guards against manipulation by unauthorised parties.

SPF does not prevent spam which originates from a domain that has been properly registered by the sender, and it also does not cover non-existant domains.

Detailed function

With SPF, a specific TXT record is added to the zone file of the domain. This entry specifies the SMTP servers authorised for a domain. For incoming emails, mail servers can determine whether the sending SMTP server was allowed to send these emails by means of the sender domain, and the mail servers get information from the SPF entry.

An SPF record looks like this, for example:

  @		IN	TXT	"v=spf1 mx ip4:213.133.98.98
  a:test.bigcompany.com -all"
  • All computers which have MX records in this domain are valid.
  • Additionally, emails from the computer with IP <213.133.98.98> are permitted.
  • Emails from the computer "test.bigcompany.com" are also accepted.
  • All other mail servers are not authorised.

Simple practical example

You have a dedicated server at Hetzner and host on it your own domain <bigcompany.com>. Emails are sent and received only via this server.

In this case, the following TXT record in your name server zone file is sufficient:

  @		IN	TXT	"v=spf1 mx -all"
  • Only the computer specified in the domain as the mail server (=MX) is allowed to send emails with the sender address @bigcompany.com.
  • All other mail servers and/or virus infected servers are not allowed to use the domain <bigcompany.com> as a sender.

Email forwarding

Email forwarding is only supported if the sender address from the forwarding server is transcribed in such a way that the SPF entries for the original sender domain no longer interfere.

Example A:

An order is received at <bigcompany.com>. The confirmation of the order is sent:

Sender:           sales@bigcompany.com
Sending server:   mail.bigcompany.com
Receiver:         client@cool-address.com
Receiving server: mail.cool-address.com     ---> SPF check "bigcompany.com": ok

The email arrives at the <cool-address.com> mail server. Let us suppose that this address is now forwarded to <client@aol.com>:

Sender:           sales@bigcompany.com
Sending server:   mail.cool-address.com
Receiver:         client@aol.com
Receiving server: mail.aol.com              ---> SPF check "bigcompany.com": failed

The email is not delivered because the receiving AOL mail server establishes during the SPF check that the forwarding server <mail.cool-address.com>is not cleared to send emails from @bigcompany.com.

The problem can be solved by SRS. SRS (Sender Rewriting Scheme) is a means of enabling forwarding mail servers to adjust and conform sender addresses.

Example B with SRS:

The order confirmation is sent once more:

Sender:           sales@bigcompany.com
Sending server:   mail.bigcompany.com
Receiver:         client@cool-address.com
Receiving server: mail.cool-address.com     ---> SPF check "bigcompany.com": ok

Nothing has changed up to now. However, the forwarding server now changes the sender:

Sender:           client+sales#bigcompany.com@cool-address.com
Sending server:   mail.cool-address.com
Receiver:         client@aol.com
Receiving server: mail.aol.com               ---> SPF check "cool-address.com": ok

In practise, the domain alone is not simply replaced by the new domain, as this could be exploited by spammers for bounce attacks. You can find a detailed description of SRS procedure here under I want to find out about SRS (PDF document).

Disadvantages of SPF

  • Unfortunately, SPF entries are not very widespread; therefore, SPF filters show relatively few "matches".
  • The SRS procedure important for email forwarding is similarly not very penetrant in practice.
  • When users change providers, they need to make exact plans and adjustments of SPF entries during the relocation phase.
  • Many users do not know anything about their SPF entries (or those of their company) and use non-authorised mail servers from a local provider. This naturally leads to bounces.

The disadvantages of SPF should not be overstated; however, as SPF is an ideal way to protect users' own domains from abuse.

Further information

You can find very comprehensive information on SPF at:

SMTP+SPF, Sender Policy Framework

SPF mechanics and syntax

SPF testing

SRS procedure

Table of Contents