Wednesday, May 18, 2011

SPF Records Explained

Email spoofing, forging an e-mail header to make it appear as if it came from somewhere or someone other than the actual source, has become a world-wide problem. Though it can be legitimate, it is usually fraudulent and often used in spam and phishing emails to hide the origin of the message. We've all received scams via email that appear to be from our bank or from some other well-known sender but obviously aren't. Because core SMTP doesn't provide any authentication, it is easy to impersonate and forge emails.

Sender Policy Framework (SPF) is used as one of the standard methods for fighting spam by helping email systems verify the identity of a message sender. This protocol works by defining TXT records in a domain's DNS zone which can be used to validate legitimate email sources from a domain. The string placed within the TXT record specifies a list of authorized host names and IP addresses that mail can originate from for a given domain name.

More and more email systems are adopting SPF and we've repeatedly seen an increase in email deliverability among our customers who have implemented SPF. If your domain does not have an SPF record, some recipient domains may reject messages from your users because they cannot validate that the messages come from an authorized mail server.

How SPF Works

SPF records are added the same way as a regular A, MX, or CNAME record. The domain administrator publishes a DNS TXT record with a specific syntax that lists all SMTP servers that are valid to send email messages for your domain name. Then, when an email system that has implemented SPF receives a message, it checks the FROM line of the email message. It queries public DNS to find the appropriate TXT record and parses the appropriate SPF information.

If the message was sent from an authorized SMTP server, the message is stamped with an SPF x-header that indicates the message "passed" the SPF check and the message is delivered. If the message was sent from an SMTP server that is NOT authorized, the message is typically rejected. If the domain owner has not specified an SPF record, the message will be stamped with an SPF x-header that indicates it is “unknown" whether or not the message should be trusted.

Publishing Your Own SPF Record

First and foremost, you have to determine all the servers that send mail for your domain name. This is the most time consuming part of creating an SPF record. The more precise your list of sending servers, the more authoritative your SPF record will be.

Once this entry is placed within the DNS zone, no further configuration is necessary to take advantage of servers that incorporate SPF checking into their anti-spam systems.

Here's a sample SPF Record and explanation of each mechanism used:

This declares that this entry is an SPF version 1 record.

This declares that any servers that have valid mx records associated with your are valid sending servers.

This declares mail can originate from this IP address or network range. You may specify a network range by appending slash notation subnet.

This mechanism typically goes at the end of the SPF record and designates the IP addresses you list are the only acceptable sending IP addresses and that all others are prohibited.

Other Resources

To learn more about using SPF records for more advanced configurations, visit the SPF Project's page on SPF Record Syntax.

If you're looking for shortcuts, there are many online tools help you create an SPF record quickly and easily, such as the Microsoft SPF Record Wizard.