Creating an SPF record without knowing the correct format is of no use. Your TXT record will likely be erroneous and, hence, ineffective against phishing and spoofing attacks. It’s made up of an SPF Record syntax list, which is categorized as mechanisms, modifiers, and qualifiers. Their collective use helps domain owners place a set of instructions for recipients’ mailboxes or mail servers on how to manage illegitimate email messages coming from your domain.
SPF Record Format
Let’s break down the components-
- v=spf1: This is the version tag and specifies which SPF version is in use. Every SPF record must begin with this.
- Mechanisms: Mechanisms are core components and give instructions if emails failing SPF checks should be marked as spam, rejected, or treated normally. Common mechanisms include-
- a: Authorizes the specified domain’s A record.
- mx: Authorizes the specified domain’s MX (Mail Exchange) records.
- ip4 and ip6: Authorize specific IPv4 or IPv6 addresses or address ranges.
- include: Authorizes the specified domain, allowing it to include its own SPF record.
- ptr: Allows the use of reverse DNS lookups for authorization.
Image sourced from leadfeeder.com
- Modifiers: They are meant to provide additional instructions or information about the SPF record. Common modifiers are-
- redirect: Specifies that the client should check the SPF record of another domain.
- exp: Provides an explanation for an SPF failure.
SPF Record Example
v=spf1 include:_spf.example.com ~all
Here’s what each of the elements means in this example-
- v=spf1 indicates the SPF version 1.
- ‘include:_spf.example.com’ permits the domain _spf.example.com to send emails on behalf of the organization using this domain.
- ‘~all’ specifies a softfail, which directs recipients’ servers to mark illegitimate emails as suspicious and place them in the spam folders.
Best Practices for Managing SPF Records
Minimize DNS Lookups
Exceeding the lookup limit of 10 makes your SPF TXT record invalid. If this problem persists, reach out to us for automatic SPF flattening. We’ll automatically replace domains with their IP addresses to eliminate the need for frequent and too many lookups.
Use CIDR notations for IP Ranges
CIDR notation means using an IP address and its associated routing prefix. It’s represented by a forward slash and the number of significant bits in the routing prefix.
Example: 192.34.34.0/22
Set a Policy for Unspecified Servers
Use the ‘all’ mechanism to set the policy for servers not covered by other mechanisms. Choose between ‘+’ (pass), ‘-’ (fail), ‘~’ (soft fail), or ‘?’ (neutral).
Merging Multiple Records
Having multiple SPF records for a single domain causes confusion for recipients’ servers, especially if the information in the records varies. So, instead, merge them into one consolidated record. Using ‘include’ statements.
Use Quotes for Domains with Spaces
If you are adding a domain name with spaces, ensure using double quotes.
Example:
v=spf1 include: "example with spaces" -all
Use SPF Lookup Tools
Regularly use SPF testing tools to check the validity and effectiveness of your SPF records.
Summary
A malicious sender uses an unauthorized mail server to send a fraudulent message in order to fool mail receivers into sharing sensitive information. SPF, DKIM, and DMARC DNS records offer protection against such email senders by specifying a legitimate network range (ip4-network and ip6-network) for authentication and compliance.