History of the Sender Policy Framework (SPF)
What is an SPF record?
How does SPF work?
The SPF process starts with the receiving server looking at the domain identified in the return-path address, which is the address the mail should go back to if rejected. It is checking to verify if the sending IP is on the domain’s list of approved senders (as recorded in the SPF record). If it is, it’s approved and it continues being processed for delivery.
What is an SPF record?
Do I need SPF?
Principles of operation
While setting up an SPF record is fairly straightforward, what happens once it’s implemented is more involved. Behind the scenes, there are several factors that can impact the effectiveness of SPF authentication.
FAIL and forwarding
In essence, the SPF breaks when the mail is forwarded outside of its intended path. If the forwarder doesn’t change the return-path address, nor is the forwarder safelisted, the message will be rejected by the mailbox provider when SPF is checked.
If you publish an SPF FAIL policy, MBPs will need to rely on other signals to try and identify if your email is legitimate prior to delivering the message.
If the receiving server gets information they can verify, they give a “250 ok” to indicate the message is received and good to go for delivery.
If there are SPF issues during this exchange, the mail is pushed back via the return-path.
Why SPF-only isn’t safe enough
What happens if the SPF record doesn’t list the sender’s IP? The server will process it. There are a few ways this mismatch could have happened, such as legitimate mail being forwarded or it truly being dangerous mail. Because the SPF record is vague, it isn’t a way to truly block mail. Additional email authentication standards, such as DKIM and DMARC, can provide multiple layers of authentication for increased protection against malicious spoofing attacks.
- “+” means Pass. If this mechanism is detected, the mail is authorized for that IP and passes authentication.
- “-” is Fail. Of course, this means the host is not authorized to send mail. The mail will not continue transmission.
- “~”is a Softfail. This also means the IP is not allowed to send mail from the domain, but it is still continuing its journey.
- “?” indicates Neutral. There are no matches for the mechanisms listed, and it’s designated as a neutral result.
- None: There isn’t an SPF record to look up. Alternatively, the SPF lookup doesn’t return any results at all.
- Permerror: Like the name indicates, there is a permanent error which won’t resolve. This could mean the SPF record isn’t configured properly.
- Temperror: There was an issue during transit but it’s not related to an error that can’t be fixed during the deployment. For instance, there might have been an issue when retrieving information from the DNS.
These mechanisms allow you to rectify issues in your Sender Policy Framework. Without monitoring or knowledge of what your bounce codes mean, you’re leaving the issue unaddressed and your problems will continue. There are free resources to help you figure this out, plus Validity provides this data in their Everest platform.
How do I set up my SPF record?
There are five steps any email marketer should follow to properly set up and implement their SPF record.
- Collect all IPs sending mail on behalf of your domains. Don’t forget, you need to list every single one. Is there a server for internal mail? Make sure to include it so your in-office mail travels without issue. Would you like your recipients to forward mail without it bouncing? Add the IP addresses of the mailbox providers of the individuals on your mailing lists.
- Make a list of your sending domains. It is important to create SPF records for all domains, even those you’re not emailing from. Criminals are likely to spoof your non-sending domains if they are not also protected.
- Create the SPF record. This can be nuanced and often requires some advanced knowledge of SPF mechanisms. This setup resource has in-depth guidance for building your record.
- Publish your SPF record to DNS. Work with your DNS server administrator, IT department or email service provider for support.
- Test. There are free tools to check your record, which will result in a list of IPs authorized to send your mail. Make sure they’re all listed, and if they aren’t, you can go back to fix the record.
Discover how Everest can help you set up and monitor proper email authentication to keep your program safe and secure.