In today’s world, email is at the core of every contract, deal, delivery package, and internal communication. There are many bad actors who will use phishing attacks to get to the important information contained in emails and use it to their advantage. SPF records are one tool created to combat these threats.
In this article we will discuss what these SPF records are, how they fit with other email security protocols, and how you can check your own SPF records. 🔒
📚 Table of contents:
- Email security and DNS records like SPF records
- What are SPF records?
- How do SPF records work?
- Why you should use SPF records to protect your domain reputation?
- SPF record example
- How to query SPF records?
Email security and DNS records like SPF records
To have secure communication, email security involves implementing multiple measures to authenticate the origin of the sender, the integrity of the email itself, and feedback about the process.
SPF records specify authorized email servers to prevent criminals from spoofing the origin of the email and pretending to send the email on behalf of the domain’s original owner.
The next component of email security is the DKIM, which encrypts the content of the emails. That way, even if a bad actor intercepts the message, they can’t read it.
The last tool is DMARC, which uses the results of the SPF query and the DKIM query to add additional protection and feedback mechanisms.
The combination of the SPF, DKIM, and DMARC keeps emails safe from spoofing and phishing attacks.
What are SPF records?
SPF is short for Sender Framework Policy. The SPF was developed as a set of rules and policies to define the sender of an email and provide a method of authentication. It allows domain administrators to add SPF records to their domain and to specify which servers (IP addresses) can send emails on their behalf. Later, the receivers can check the DNS record and verify the sender.
How do SPF records work?
- The domain administrator adds an SPF record to the DNS zone, specifying which email servers are authorized to send emails on behalf of the domain.
- A user sends an email to a receiver.
- The receiver mail server will check the SPF record, and check if the sender was authorized to send emails on behalf of the domain.
- Based on the result of the SPF check, the email will be accepted, rejected, or put in quarantine (spam folder).
Why you should use SPF records to protect your domain reputation?
Earlier, people were using the simpler SMTP (simple mail transfer protocol) which had no method of authentication of the origin of an email (the “from” field of an email). Criminals often spoof it, pretend to send an email from a trusted source, and perform phishing attacks to steal user data. SPF records were created to combat this.
📢 They also have some other key benefits:
- Ensure your emails reach their destinations. One of the reasons is that without SPF records, your emails can get discarded and end up inside the spam folder. You want to guarantee the delivery of your emails. The receiver’s mail server will check the SPF record and allow your email.
- Prevent outbound spam. SPF also stops outbound spam. It allows only authorized mail servers to send messages, and that reduces the chance that your servers end up on a spam blacklist.
- DMARC implementation. To use DMARC you will need both DKIM and SPF records. Having just one of them is not enough to implement the enhanced email security of DMARC.
- Complying with standards. SPF records are part of the industry standards like GDPR (General Data Protection Regulation). Without it, you can get fined for not complying.
SPF record example
Here’s an example of what an SPF record looks like:
v=spf1 mx ip6:f4f0:a8d1:0542:e21c:8383:d06e:1b0f:d13f -all
- v=spf1 – this shows the current version of the SPF which is 1.
- mx – the incoming servers will make a check of the MX record to see if it matches.
- IPv6 – the incoming servers will make a check of the IPv6 to see if it matches.
- -all – if the previous mechanisms fail, then the verification must fail too.
SPF mechanisms
- “all”, stands for all. Everything after it must be ignored. You can add it at the end of the SPF records with a “-” sign to set a rule that will fail the verification if the previous mechanism before it, didn’t return a positive result.
- “mx”, stands for MX record. Use it to set up a MX lookup to check the addresses. Then compare it with the return path. A match will allow it.
- “a”, stands for an address record. Use it to add A and AAAA records checks. If the checks make a match, then the sender is valid.
- “include”, starts a recursive host test. With it, other domains can be included for sending emails from the outgoing mail servers. You can use it if you own a few domains (like example.com, example.eu, example.net, and so on).
- “exists”, helps to construct an arbitrary domain name used for a DNS A record query.
- “ptr”, stands for PTR record (pointer). It serves to point out if an IP address points back to the right hostname. If the IP address leads to the domain, then it is valid.
- “ip4”, stands for IPv4 address. You can define the IPv4 address of your email server or you can define a range of IPv4 addresses.
- “ip6”, stands for IPv6 address. You can define the IPv6 address of your email server or you can define a range of IPv6 addresses.
SPF qualifiers
- “+” means PASS. The incoming email server should accept all emails from the particular host. That is the most used SPF qualifier, and it works like a whitelist.
- “-“ means FAIL. The incoming email server should not accept emails from the particular host. This one works as a blacklist.
- “~” means SOFT FAIL. The incoming email server should flag all emails from the particular host but still allow them. The host technically should not be able to send emails.
- “?” means NEUTRAL. The incoming email server can’t verify the emails from the particular host, so there is no specified action. No policies are involved.
How to query SPF records?
If you get worried and you want to check your SPF records there are very easy-to-use tools out there. You can use some of the built-in commands, that you can find inside the OSes, or you can choose an online SPF tool.
On Linux and macOS
The easiest way to check DNS records on Linux and macOS is to use the Dig command. It is a built-in tool that these OSes have by default. Here is how to do it:
- Open the Terminal application and type the following command “dig example.com TXT”. Change “example.com” to the domain you want to check.
- The result will include all of the TXT records including the SPF record for the domain.
On Windows
On Windows, you can use the Command Prompt.
- Open the Command Prompt and type “nslookup -type=txt example.com”. Change “example.com” with the domain you want to check.
- The result will include all of the TXT records including the SPF record for the domain.
Online tools
You can also use an online DNS record checker. You can find many out there, but for this example, we will use mxtoolbox.com.
- Go to mxtoolbox.com/spf.aspx and type the domain you want to query.
- The online SPF tool will give you the result of the query where you can see the SPF record.
SPF check outcomes
👉 These are the possible results you might get from an SPF records check:
- None – After a DNS query, the recursive has not found any SPF record. The SPF is missing or the DNS administrator didn’t configure it well.
- Neutral – The Administrator hasn’t added the IP address of the sender, so the verification can’t confirm the sender.
- Pass – Based on the SPF data, the receiver should reject the email.
- Fail – Fail, because the sender is not authorized to use the domain.
- Softfail – Soft fail. The sender is probably not authorized. This can lead to an email ending up in the spam folder instead of getting rejected entirely.
- Temperror – Temporary error, which is most probably provoked by DNS problems. If the client tries later on, the problem can be gone already.
- Permerror – Permanent error. The administrator of the domain has to fix an error because otherwise, the SPF record could not be understood.
Conclusion 🧐
Now you know what SPF records are and how do they enhance email security. You must include SPF if you want to reduce the bounce rate and improve your email delivery rate. 🔒
Want to learn more about keeping your business safe online? Check out our guide on domain privacy.