Scenario:

What is a "SPF" record?

Solution:

A SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain.

SPF records are just one of many options for limiting the amount of backscatter you receive.

Have you received emails that appear to have originated from one of your domains but in actual fact the sending spam server is spoofing your domain to make it look like they come from you?  Thats backscatter and a sender policy framework (SPF) will help to reduce backscatter because the SPF record details what servers are allowed to send emails on behalf of a domain.

Example

Below is an example of a SPF record.

example.com.  IN  TXT  "v=spf1 a mx ~all"

The example above simply says that the servers allowed to send emails for that domain are the same servers that are used to receive email and therefore to use the MX (Mail eXchange) records for the domain

Lets say you want to use a different server for outbound emails compared to your inbound servers.  A good example of this would be when your inbound MX records point to servers that are in fact a 3rd party spam filtering solution, but your sending (outbound SMTP Server) is your internal exchange server.  You would therefore have a SPF similar to below

example.com.  IN  TXT  "v=spf1 ip4:1.2.3.4 a ~all"

If you used a service like Office 365 you would also want to include there SPF records in your own.

example.com.  IN  TXT  "v=spf1 include:spf.protection.outlook.com ~all"

If you are using MX Tools for your outbound SMTP gateway you would need to include spf.mxtools.co.uk as well

example.com.  IN  TXT  "v=spf1 include:spf.mxtools.co.uk ~all"

If you were using both services for example and your own IP address it could look like this.

example.com.  IN  TXT  "v=spf1 ip4:1.2.3.4 include:spf.mxtools.co.uk include:spf.protection.outlook.com ~all"

Breakdown of the SPF record

The breakdown of the record is as follows

 v=spf1 SPF Version 1
 mx The servers specified in MX (Mail eXchange) records for domain are also authorised to send email for the domain
 a:server.example.com The A record (server.example.com) is authorised to send emails for the domain
 ip4:1.2.3.4 The IP4 address is allowed to send emails on behalf of the domain
include:spf.mxtools.co.uk Include the SPF record spf.mxtools.co.uk, which in turn will allow the servers specified in that SPF record to be authorised to send emails for that domain.
all

-all, Is a strict compliance, meaning reject emails unless they are coming from the servers specified in the SPF record

~all, This is a soft fail, meaning emails will be accepted but will be marked as not complaint with the SPF record

?all, Accept emails anyway (Not recommended)

 

SPF Record Checker

When you're setting up DNS records to add SPF/TXT records for your domain its always a good idea to check the records to ensure for the correct syntax and the right information is being published.

MXTools provides a SPF Record Checker and Validation tool.