Domain
A domain is a human-readable name used to identify a location on the Internet, like example.com or example.co.uk.
There are hundreds of available domain endings, referred to as Top Level Domain (TLD), to choose from. These include country-code TLDs such as .de (Germany) and .fi (Finland), generic TLDs such as .com (commercial), .org (organisations), .net (networks) and newer (sponsored) TLDs such as .app, .dev, and .berlin.
As long as a domain name is still available, you can register it with a registrar of your choice, like with Hetzner. Once registered, you can manage your domain using the Domain Name System (DNS). Your registrar usually operates authoritative name servers that serve a DNS zone for your domain.
Zone
A DNS zone consists of different records, storing different public information. There are a variety of different record types for different purposes, such as A (IPv4 address), AAAA (IPv6 address), MX (mail server), NS (name server), TXT (text) and PTR (pointer for reverse DNS).
For example, a record with name www , type A and value 198.51.100.1 in the zone example.com indicates to clients that requests to www.example.com should be send to a server with that IPv4 address. Multiple records with the same name and type are also referred to a resource record set (RRset).
The DNS also allows the delegation of sub-zones to other name servers using NS records.
SPF
SPF stands for Sender Policy Framework and is a technique for preventing email spam or bogus virus emails.
SPF incorporates a special entry into the zone file of the name server for the sender domain, which guards against manipulation by unauthorised parties.
SPF does not prevent spam which originates from a domain that has been properly registered by the sender, and it also does not cover non-existent domains.
Usage
With SPF, a specific TXT record is added to the zone file of the domain. This entry specifies the SMTP servers authorised for a domain. For incoming emails, mail servers can determine whether the sending SMTP server was allowed to send these emails by means of the sender domain, and the mail servers get information from the SPF entry.
An SPF record looks like this, for example:
@ IN TXT "v=spf1 mx ip4:213.133.98.98 a:test.example.com -all"| Description | |
|---|---|
mx |
SPF looks up the IP addresses of all MX hostnames. If the sending server's IP matches any IP resolved from MX hostnames, it's allowed. |
ip4:213.133.98.98 |
Emails from the server with the IP 213.133.98.98 are also accepted. |
a:test.example.com |
SPF looks up the IP address specified in the A/AAAA record of test.example.com. If the sending server's IP matches that IP, it's allowed. |
-all |
Only servers that are explicitly listed above are allowed to send emails on behalf of the domain. All other mail servers are considered spam/virus infected servers and will be rejected. |
Click here to view a simple example
Server 1IP
📧203.0.113.1
mail.example.comDomain zone managed by youexample.com
A203.0.113.1MX@mail.example.com.TXT@"v=spf1 mx -all"
In this example, the value of TXT specifies that only mail servers listed in the MX records for your domain are allowed to send emails on behalf of your domain. SPF looks up the IP addresses of all MX hostnames. If the sending server's IP matches any IP resolved from MX hostnames, it's allowed.
In the example above, the only MX record points to
mail.example.comwhich resolves to203.0.113.1. This means only the server with the IP address203.0.113.1is allowed to send out messages on behalf of your domain.Mail servers and/or virus infected servers with any other IP address are not allowed to send out messages on behalf of your domain.
Email forwarding
Email forwarding is only supported if the sender address from the forwarding server is transcribed in such a way that the SPF entries for the original sender domain no longer interfere.
In practise, the domain alone is not simply replaced by the new domain, as this could be exploited by spammers for bounce attacks. You can find a detailed description of SRS procedure here under I want to find out about SRS (PDF document).
Click here to view an example
Server 1IP
📧203.0.113.1
mail.example.comServer 2IP
📧198.51.100.1
client.example.orgDomain zonesexample.comA203.0.113.1MX@mail.example.com.TXT@"v=spf1 mx -all"
example.orgAclient198.51.100.1MX@client.example.org.TXT@"v=spf1 mx -all"
Following requires SRS (Sender Rewriting Scheme) to enable forwarding mail servers to adjust and conform sender addresses.
Original email👤➡️holu@example.com💻➡️mail.example.com👤⬅️client@example.org💻⬅️client.example.org
Hello Client, greetings from Holu!Forwarded email👤➡️holu@example.com💻➡️client.example.org👤⬅️john@example.net💻⬅️john.example.net
Hello Client, greetings from Holu!Forwarded email with SRS👤➡️client+holu#example.com@example.org💻➡️client.example.org👤⬅️john@example.net💻⬅️john.example.net
Hello Client, greetings from Holu!
Original email Forwarded email Forwarded email with SRS Sender domain example.com example.com example.org SPF allows 203.0.113.1203.0.113.1198.51.100.1Used mail server mail.example.com 203.0.113.1client.example.org
198.51.100.1client.example.org
198.51.100.1SPF check ok failed ok
Disadvantages of SPF
- When users change providers, they need to make exact plans and adjustments of SPF entries during the relocation phase.
- Many users do not know anything about their SPF entries (or those of their company) and use non-authorised mail servers from a local provider. This naturally leads to bounces.
The disadvantages of SPF should not be overstated; however, as SPF is an ideal way to protect users' own domains from abuse.
Further information
You can find very comprehensive information on SPF at: