Sender Policy Framework (SPF) is a system to prevent email address spoofing and minimize inbound spam. Using SPF, a domain may explicitly authorize the hosts that are allowed to use its domain name.
SPF works by publishing SPF (code 99) or TXT (code 16) records, which are DNS resource records that declare which hosts are allowed to use a domain name. The receiving mail server checks the SPF records from the domain identified as sending the email to verify that the source IP which the email originated from is authorized to send email from that domain.
Using SPF can increase client confidence and trust. A domain which implements SPF is much less likely to be spoofed. Without SPF, a spam email can be spoofed to show a particular domain, in which case the recipient would likely report the email as spam. With enough such reports, Bayesian spam filters would be more likely to block the domain, thus blocking any potential legitimate emails. If a domain does implement SPF, however, and it is forged, the receiving server will be more likely to block the fraudulent email.
An SPF record looks like: v=spf1 +mx a:colo.example.com/28 -all
Configuring SPF records is relatively straight-forward. SPF Record Syntax includes full details on the syntax and mechanisms for SPF records and can be useful in creating them. The server checks the SPF record from left to right until it either successfully passes the email or it reaches the end of the record and performs the default action, rejecting -all
or marking the email as spam ?all
.
Mechanisms in the SPF record
v |
Indicates the version of SPF used. The other mechanisms test the legitimacy of the email. |
MX and A |
DNS resource records that are compared between the email and the SPF record to decide whether or not to accept the email. |
all |
Indicates that the SPF always matches and serves as a default action. |
NOTE: The mechanisms are combined with qualifiers to determine how to handle a match.
Qualifiers in the SPF record
+ |
Implied if omitted. Pass. |
- |
Fail. |
? |
Neutral result. |
~ |
Softfail |
SPF record sample: v=spf1 +mx a:colo.example.com/28 -all
Combining these, the sample SPF record reads:
1. It uses version 1 v=spf1
.
2. Passes email if the domain has an MX record matching the sender’s address +mx
.
3. Passes email if the domain has an address record matching colo.example.com/28 a:colo.example.com/28
.
4. Fails all others -all
.
How these results are handled is left to the receiving domain’s administrators to handle. Typically, fails are rejected and softfails are marked as potentially spam.