What are SPF records?
Sender Policy Framework (SPF) is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain’s administrators.
How does it work?
The Simple Mail Transfer Protocol (SMTP) permits any computer to send email claiming to be from any source address. This is exploited by spammers who often use forged email addresses, making it more difficult to trace a message back to its sender, and easy for spammers to hide their identity in order to avoid responsibility. It is also used in phishing techniques, where users can be duped into disclosing private information in response to an email purportedly sent by an organization such as a bank.
SPF allows the owner of an Internet domain to specify which computers are authorized to send mail with sender addresses in that domain, using special Domain Name System (DNS) records (SPF, type 99). Receivers verifying the SPF records may reject messages from unauthorized sources before receiving the body of the message.
How does Sender ID Framework work?
Why use SPF records?
If a domain publishes an SPF record, spammers and phishers are less likely to forge e-mails pretending to be from that domain, since the forged e-mails are more likely to be caught in spam filters which check the SPF record. Therefore, an SPF-protected domain is less attractive to spammers and phishers. Since an SPF-protected domain is less attractive as a spoofed address, it is less likely to be blacklisted by spam filters and so ultimately the legitimate e-mail from the domain is more likely to get through.
Who should use SPF records?
If your email is hosted by an ISP or you use a public email system such as Gmail or Hotmail, you shouldn’t worry about SPF records as this is manage by the respective organisation. However, if you host your own internal email system such as an Exchange Server or even have it hosted by a third party in the cloud, you should ensure that correct SPF records are in place.
An example of SPF records
example.com. IN TXT "v=spf1 ip4:188.8.131.52/24 ip4:198.51.100.123 a -all" example.com. IN SPF "v=spf1 ip4:184.108.40.206/24 ip4:198.51.100.123 a -all"
example.com. IN TXT "v=spf1 ip4:220.127.116.11 a -all" example.com. IN SPF "v=spf1 ip4:18.104.22.168 a -all"
“v=” defines the version of SPF used. The following words provide mechanisms to use to determine if a domain is eligible to send mail. The “ip4” and “a” specify the systems permitted to send messages for the given domain. The “-all” at the end specifies that, if the previous mechanisms did not match, the message should be rejected.
How to create your SPF records
In the last two example above the format is pretty simple. “v=spf1 ip4:<IP ADDRESS OF EMAIL SERVER> a -all”, however it can be more complex especially if you have multiple email servers on your domain or you have a third party spam filter in place and different MX records that aren’t internal to your organization. Fortunately there is help at hand………!
Easy (or at least easier) way to create your SPF records
There is a Sender ID Framework SPF Record Wizard at the following Microsoft website: http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/ If you follow the wizard it should generate useable SPF records. All you need to do is then copy and paste them into the hosting service NS records administration page (read below).
Implementing the SPF records
You should log on to your domain hosting service and create a new TXT or SPF record. Sometimes the host has a specific SPF record type others don’t and some just combine the two as a TXT (SPF) record. If in doubt either contact your hosting provider or call us at Wimbledon IT for advice.
Testing your SPF records
Once you have created your spf records that you test that they are visible on the Internet. Please note, that like all public DNS data, it will take a few hours for it to update globally.
We recommend using the test tool at http://www.kitterman.com/spf/validate.html
We will be following this blog up with another article about avoiding being added to spam abuse lists, and how to check if you are and what steps you can take to ensure that this doesn’t happen again.