Prevent Email Spoofing | DNS Course
Email SPF Record Setup Tutorial – Sender Policy Framework (SPF)
Author: Emad Zaamout
Sunday, October 17, 2021
Table of Contents
Introduction
Welcome back,
In this tutorial, were going to cover what SPF records are, why you need them and how to create them.
If you own a domain, its crucial that you set up your SPF record correctly to prevent Email Spoofing or Email Fraud.
If you don’t have an SPF record set up, anyone can send email on your domain behalf.
This can get your domain blacklisted for spam even if you are not sending mail.
This is a DNS course, so you should be comfortable adding DNS records to your Domain such as TXT records.
Before we get started, don’t forget to subscribe to our channel to stay up to date with our latest training videos.
What is an SPF Record?
SPF Stands for Sender Policy Framework – It is a TXT record that you add to your Domain DNS.
It is used by all mail providers such as Gmail and Outlook so that they can detect, and block email spoofing and unauthorized mail sent on your Domains behalf.
SPF record allows you to specify one or more IP addresses or domain names that are allowed to send mail on your domain behalf (i.e., mail “from” your domain).
Your SPF record should list exactly all the servers that are authorized to send mail on your domain behalf and should tell the mail service providers how to handle any mail that is not authorized.
For example, if your using Outlook for your Email Provider, then your SPF record would like something like this: "v=spf1 include:spf.protection.outlook.com -all"
The first part, v=spf1 specifies the spf version; the current SPF version is 1. This is required for all spf records. This line should always be added.
The second part include:spf.protection.outlook.com consists of 2 parts
-
The "include:" is called Mechanism
-
The "spf.protection.outlook.com" is called Directive
The last part also consists of 2 parts known as the Qualifier and Directive.
Putting this all together, your SPF record should always look like this.
“v={spf version} {mechanisms}{directive} {qualifiers}all”
We will cover each part in detail, but to give you an idea, what this record is saying that spf.protection.outlook.com is a third-party email vendor and is authorized to send email on our domain behalf. The include part basically copies the SPF record stored inside that url.
The last part is saying all other emails sent not included in our list should fail. Which means the email server provider will report that email as spam.
"v=spf1 include:spf.protection.outlook.com -all"
SPF Record – Qualifiers
So far, we know that your spf record should always look something like this “v=spf1 {mechanisms}{directive} {qualifiers}all”
Your spf record is read right to left.
if an email got sent out using your domain name, you would list all the authorized server IPS that can send emails on your behalf. Otherwise, the last parts tell the Email Service Providers how to handle emails that are not authorized based on the qualifier you use.
There is 4 different types of qualifiers.
The first one is the plus sign. This is the default qualifier. It’s used if you don’t specify a qualifier.
This qualifier means that the email service provider should always accept the email.
I don’t recommend you use this option because you don’t want any unauthorized email using your domain name to be accepted.
The second qualifier is a dash sign. I always recommend you use this qualifier.
This qualifier will tell the email servicer provider to always fail when the email is not a part of your authorized list.
The third qualifier is Tilda. This qualifier tells the email server provider to accept the email but mark it as suspicious. So basically, throw it in the junk folder.
The last qualifier means neither pass nor fail. This qualifier tells the email service provider that your SPF record, says nothing about passing or failing.
I always recommend you use the dash qualifier, to make sure all unauthorized emails are not accepted.
Qualifier | Result Code | Description |
---|---|---|
+ |
Pass |
Default if no qualifier specified. Accept the message. |
- |
Fail |
Server matching IP address is unlikely authorized. Accept the message but mark it as suspicious. |
~ |
SoftFail |
Server matching IP address is unlikely authorized. Accept the message but mark it as suspicious. |
? |
Neutral |
Neither pass nor fail SPF. Accept. The SPF record does not state whether the Server(s) should be accepted/rejected. |
SPF Record – Mechanism
Now the last part in your spf record, is a combination of mechanisms and directives.
This is where you can list as many ip addresses or domain names that you want to authorize.
When an email is sent out on your domain behalf, the email service provider receiving your email will check if the email is authorized by looking in this list.
There is 5 different mechanisms to authorized servers.
You can authorize mail servers by domain name using the letter “a” for the mechanism.
So if you want to authorize any other domain to send email on your domain’s behalf, you would write “a” then colon then your URL name.
The second way you can authorize servers is by another domain MX record. To do that, you write “mx” colon then the domain name where the mx record is stored.
The third way is to authorize by IP4 address or a range of IP4 addresses. This mechanism is straight forward you just write ip4 colon then the ip4 address or range.
The fourth way is to authorize servers by IP6 address or a range of IP6 addresses. Similar to the ip4, you write ip6 colon then the ip6 address or range of ip6 addresses.
The last mechanism you can use is the include. This will basically authorize a third-party email sender.
Mechanism | Directive Applies When |
---|---|
1 |
Authorize mail servers by domain name. Example: autodiscorver.outlook.com |
a |
Authorize mail servers by domain name. Example: autodiscorver.outlook.com |
mx |
Authorize one or more mail servers by another domain MX record. For example, if you use Outlook, Gmail, Amazon SES …, You add a mx record to authorize their servers. 10 inbound-smtp.us-east-1.amazonaws.com |
ip4 |
Authorize mail servers by IPv4 address or a address range. Example: ip4:192.168.0.1 or ip4:192.0.2.0/24 |
ip6 |
Authorize mail servers by IPv6 address or address range. Example: ip6:3FFE:0000:0000:0001:0200:F8FF:FE75:50DF or ip6:2001:db8:1234::/48 |
include |
Authorize 3rd party email senders by domain. Example: include:spf.protection.outlook.com |