What is an SPF record? Print

  • 3

SPF – Sender Policy Framework.

SPF allows the domain owner to specify in the TXT record of the domain a specially formed string indicating the list of servers that have the right to send email messages with return addresses in this domain.

Let's look at a simple example of an SPF record.

example.org. IN TXT "v=spf1 +a +mx -all"
Now let's look at the available options in more detail. Let's consider the recipient's behavior options, depending on the options used:

"v=spf1" is the SPF version used.
"+" - accept correspondence (Pass). This option is set by default. That is, if no parameters are set, then it is “Pass”;
"-" - Reject (Fail);
"~" - "soft" deviation (SoftFail). The letter will be accepted, but will be marked as SPAM;
"?" - neutral attitude;
"mx" - includes all server addresses specified in the MX records of the domain;
"ip4" - this option allows you to specify a specific IP address or network of addresses;
"a" - indicate the behavior in case of receiving a letter from a specific domain;
"include" - includes hosts allowed by the SPF record of the specified domain;
"all" - all other servers not listed in the SPF record.
So, let's try to figure out what the SPF record indicated above means.

"+a" - allows receiving letters from a node whose IP address matches the IP address in the A-record for example.org;
"+mx" - allows receiving letters if the sending host is specified in one of the MX records for example.org;
"-all" - all messages that do not pass verification using the listed mechanisms should be rejected.
To better understand how SPF works, let's look at another, more complex example.

example.org. IN TXT "v=spf1 mx ip4:195.3.159.250 +a:smtp.mail.ru include:gmail.com ~all"
Now in more detail about the options used...

"mx" - receive letters from servers specified in MX records;
"ip4:195.3.159.250" - receive letters sent from IP address 195.3.159.250;
"+a:smtp.mail.ru" is the same as "a:smtp.mail.ru". Accept from smtp.mail.ru;
"include:gmail.com" - accept letters from servers allowed by gmail.com SPF records;
"~all" - accept messages from all other servers, but mark them as SPAM
Now let's look at an even more “exotic” example. The description of possible options indicated that it was possible to specify networks of IP addresses. It's worth noting that this also applies to "a" and "mx" entries. Consider the following example.

example.org. IN TXT "v=spf1 mx/24 a:muff.kiev.ua/24 -all"
"mx/24" - the list of allowed senders includes all IP addresses located in the same class C networks as the domain MXs;
"a:muff.kiev.ua/24" - the list of allowed senders includes all IP addresses located in the same class C networks as the A-records of the domain muff.kiev.ua;
"-all" - all other senders are blocked.
Sometimes you can find the following entries (very rarely):

"ptr" - checks the PTR record of the sender's IP address. If it matches the specified domain, then the verification mechanism returns a positive result. That is, it is allowed to send to all IP addresses whose PTR records are directed to the specified domain. A serious disadvantage of this method is that a very large number of DNS queries are generated;
"exists" - checks whether the domain resolves to any IP address. That is, in essence, a health check of the domain name is performed. By the way, it doesn’t matter what IP address the domain resolves to, even if it’s “gray” networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or loopback (127.0.0.1).
Usage example:

example.org. IN TXT "v=spf1 ptr:example.org exist:example.org -all"
It would also be a good idea to familiarize yourself with the following options: redirect and exp.

"redirect" - Instructs the recipient to check the SPF record of the specified domain, instead of the current domain. Example:

example.org. IN TXT "v=spf1 redirect:example.com ~all"
In this example, the SPF record of the domain example.com will be checked, not example.org.


Was this answer helpful?

« Back