What is it about?
The Sender Policy Framework (SPF) record allows an email server to verify the legitimate origin of incoming emails. This record is added within a DNS zone of a domain to identify the servers or IP addresses authorized to send email for the domain itself.
What is it for?
The purpose of the SPF record is to prevent spammers from sending messages with forged sender addresses within your domain, or impersonating your sender even though you are not a user in your organization who has access to use your email address.
The recipient servers can check the SPF record to determine if a message that appears to come from your domain comes from an authorized mail server and consequently decide to discard it as SPAM or accept it and deliver it to the recipient’s e-mail address.
The SPF record
The SPF record is inserted as a DNS record in the DNS (name server) zone of the domain, in the form of a TXT record.
The record contains a list of IP addresses from which emails can be sent for this domain.
There are also other records, for example for the e-mail filter server through which the e-mail must pass before being forwarded to the recipient.
These “intermediate stations” are often included with the instruction include.
most common parameters:
|v||Record version; v = SPF1 indicates the currently valid version.|
|ip4||IP address; “IP4” is the name of the well-known form of IP address. In addition to this, there are the new IP6 addresses which are still not widespread.|
|-all||All other senders not listed here are not authorized and must be rejected.|
|include||Indicates other domains whose SPF record is to be retrieved.|
yourdomainname.com. IN TXT "v=spf1 ip4:indirizzoipdelserver include:ocusfocus.eu include:ocusfocus.it include:ocusfocus.net ~all
In addition to the above -all code, there is also the version with the tilde: ~ all. This indicates that all other senders are not authorized, but must nevertheless be accepted. This “soft fail” claim was initially introduced for testing purposes, but is now used by several hosting providers.
Advantages and disadvantages
For security reasons, the SPF record is now increasingly required as a mandatory requirement by an increasing number of Internet Service Providers.
This means that the receiving mail server does not deliver the e-mails that do not have the necessary authorization to the end user, or delivers them with a warning (“non-secure e-mail”).
The main advantage of the SPF record is that it is easy to implement: a very simple TXT record is sufficient. In most cases, this can be automatically generated by the service provider.
As important as the SPF record is, its effectiveness as a protection should not be overstated, because:
- SPF does not protect against spoofing. Despite SPF, a scammer may still be able to display a fake sender name in the email
- SPF does not improve sender reputation. Even a spammer can use SPF
- SPF does not protect against an unauthorized mail sender. If someone sends messages from your mail server without being authorized, SPF does not intervene
Usually, the SPF record is used in conjunction with other security mechanisms, in particular together with DKIM and DMARC which we will see later.
Generally, the user does not have to deal with writing and inserting the SPF record independently.
Good email hosting providers offer tools to do this and in most cases, the spf record is automatically configured.
Those who already use our hosting services is aware of this.