DNS /

SPF

The Sender Policy Framework

Read up on the Sender Policy Framework.

Why?

There's nothing stopping someone from pretending to send mail from a fake address. A scammer might send an email from ceo@megacorp.com as follows:

Please send me $10,000 to my temporary bank account 0123456789.

How can we determine if sender's email address is fake or real? Sender Policy Framework (SPF) is one tool.

What it does

SPF is a system that your mail server uses to check if the sender of the email comes from the right server.

Almost all mail servers will check for SPF records. So, if you don't want your mail to be marked as spam or phishing, you will want to set up proper DNS records.

How it works

QualifierResultMeaningAction
+PassCan sendAccept
-FailCannot sendReject
~SoftFailCannot send but still in transitionAccept but mark
?NeutralNeutralAccept
 NoneNo matching SPF recordAccept
 PermErrorError (bad SPF record)Unknown
 TempErrorTemporary Error?
MechanismMeaning
allAlways matches
ip4:<address>/<prefix>Matches IPv4 address/subnet
ip6:<address>/<prefix>Matches IPv6 address/subnet
a:<domain>Matches IPv4 address from A record (or AAAA record if IPv6); uses current domain if none given
mx:<domain>Matches IP addresses of MX records; uses current domain MX if none given
RecordMeaning
"v=spf1 mx -all"Allow MXes to send mail, deny all others.
"v=spf1 -all"The domain cannot send any mail.
"v=spf1 +all"Anyone can send mail for this domain (SPF becomes useless)
"v=spf1 ip4:192.168.0.1/24 -all"IPs between 192.168.0.1 and 192.168.0.255 can send
"v=spf1 ip6:2001:db8::/96 -all"The IPv6 subnet 2001:db8::/96 can send
"v=spf1 a -all"IPs from current domain can send mail
"v=spf1 a:example.com -all"IPs from example.com can send mail
"v=spf1 mx mx:mail.example.com -all"IPs from MX servers for current domain and mail.example.com can send