SPF means “Sender Policy Framework.” It is a list of IP addresses that are allowed to send emails for a specific domain. This helps servers weed out spam and phishing emails who try to disguise themselves as addresses from a reputable domain.
Spammers sometimes try to fake the sent from and reply addresses to make it look like the emails come from a reputable address. If you checked the header, however, you would see they actually originate from a spamming address. Spammers do this to misdirect complaints and avoid emails bouncing.
Creating an SPF record helps fend off these spammers who would use your domain as a cover to send spam or who try to send the spam to you. The SPF record will be checked by other servers and, when they discover spam disguised as your domain or you discover spam disguised as their's, the server will reject it.
Not only is SPF a good way to keep spam out of your inbox, it can also help ensure email delivery. Some email services will automatically reject emails with no SPF record. Combat this by enabling an SPF configuration on your account. Pair Networks offers pre-configured SPF records for our mailboxes so it’s easy for you to get SPF protection, without building an SPF record from the ground up. Find out more about our pre-configured SPF records here.
If you’re comfortable with DNS records, you can create your own SPF record or read the rest of this article for in-depth information about SPF records.
If you would like to have all incoming mail checked by SPF, visit our Blocking Junk Mail with SPF article.
An SPF record is a TXT record stored in the DNS zone file. A TXT record can contain free-form or formatted text. However, an SPF record is written in a specific format.
An SPF entry will look like this:
v=spf1 ip4:10.20.20.0/24 ip4:10.10.10.21 -all
The version number tag, v=spf1, begins each SPF record. This particular version works best for our purposes since it allows the user to identify their mail server and enables receiving servers to check incoming mail against the valid mail server.
After the version tag comes the “mechanism.” The mechanism is what method you are using to identify the host(s). Here is a full list of mechanisms:
The all Mechanism
The all mechanism always matches. It indicates that if the IP address of the incoming email does not match what the SPF record says it should match, then the email is invalid.
v=spf1 a:smtp.example.com -all
This line indicates that all emails from example.com are valid; all other emails will be rejected.
The all mechanism usually goes at the end of the SPF record to block everything that isn’t listed.
The a Mechanism
The a mechanism is one of the several mechanisms that dictate what IP addresses are allowed to send mail from the domain.
For example, if example.com has an a record that represents the IP address 184.108.40.206., adding a:example.com to the SPF record will identify mail from 220.127.116.11. as valid emails.
The mx Mechanism
The mx mechanism lists acceptable server IP addresses for the domain.
If an IP address matches the mx or a records, then the IP address will be deemed valid by the receiving server and go through.
If you wrote the following example, it would mean that two IP addresses could be deemed valid by the receiving servers, but all emails not matching those two addresses would be rejected:
v=spf1 mx a -all
mx stores one IP address for checking and a stores another. The -all then dictates that all emails that do not match mx or a are not valid emails.
- + (Pass)
- - (Fail)
- ~ (Soft Fail)
- ? (Neutral)
Mechanisms can be preceded with one of the four qualifiers. Usually, these are not used except for the final all mechanism, which often appears as -all to block any emails that do not meet the requirements dictated by the SPF record. By default, the + (pass) qualifier will be used.
When a server checks the SPF record, it checks each entry in order. If no part results in a pass or fail, the result will be marked as neutral. Neutral simply means that no action will be taken on the email.