Creating SPF Records for your Domain

Creating SPF Records for your Domain

The creation of a Sender Policy Framework (SPF) Record is something that is managed by the person or team that manages your Domain Name Service.

The creation of an SPF record is a relatively simple process.

Generally a domain name is hosted by a service provider like WrenMaxwell and it will be accessed via a control panel or interface that allows for the creation, editing or deletion of domain records.

An SPF record is simply a text or TXT record within the domain. This is an example of a basic SPF record.

 Domain TTL  Record Type Record
SPF Record Example Settings
     

In this example the domain is wrenmaxwell.com.au (note the trailing full stop in the record as the termination of the domain).

The TTL or Time To Live provides the duration in seconds before this record should be checked again.

IN TXT is the record type (cPanel / WHM management always shows the IN while other interfaces may not)

The record content is enclosed in quote marks ( for cPanel / WHM this is standard. Other interfaces will add the quotes in the background)

What is in the SPF Record ?

v=spf1  is the version of SPF that is being used. Currently there is only spf version 1 so spf1 is standard.

+a says to accept the A record for the domain while +mx says accept the MX record for the domain.

-all says to fail All Other servers sending email using this domain name.

SPF Record Syntax

After the version instruction the rest of the record consists of mechanisms and qualifiers.

When an SPF record is queried, the receiving server checks the ip address of the sending server against the SPF record for the sending domain. If a mechanism matches the ip address then the qualifier for that mechanism is used to determine what action should be taken in relation to the specific email that is being processed.

Mechanisms are always processed from left to right with each mechanism tested until a match is found. Once a match is found the query is stopped and the qualifier used to return the action or response to the receiving server.

SPF Record Qualifiers

The qualifiers are the symbols:

 Qualifier  Recommendation  Comment
“-“Fail Fail tells the receiving server that the sending server is not allowed to send for this domain
“+”Pass Pass tells the receiving server that the sending server is allowed to send for this domain
“~”SoftFail SoftFail tells the receiving server that the sending server may be accepted but is not yet specified
“?”Neutral Fail tells the receiving server that nothing is specified about this server

There are a few other results that come from the evaluation of an SPF record but the above cover the main ones.

SPF Record Mechanisms

The are a number of mechanisms that are more commonly used and some that are not.

 Mechanism  Explanation  
  A or a All the A records for domain are tested. If the client IP is found among them, this mechanism matches.
 MX or mx All the MX records for domain are tested. If the client IP is found among them, this mechanism matches.
  IP4 Check a specific host IP address of type version 4
  IP6 Check a specific host IP address of type version 6
 include include:{some.other.domain} to check the SPF record of the hosting or remote domain
 all refers to any other server (all other servers) and this mechanism will always match

MX stands for MaileXchanger meaning a server or host that will manage email for the domain.

IP4 and IP6 refer to the type of IP address that is in use. A common error is to see IPv4 or IPv6 where the editor of the SPF record has inadvertently included the ‘v’ for version of the IP address, which is a common format in other forms of documentation of IP addresses but is invalid for SPF records.

The include mechanism caters for larger configurations where there may be clustered servers or regular changes to mail server hosts and the service provider, like Google gmail and Microsoft Mail, can manage their servers within domain structure that is linked from the client (your) domain SPF record.

The all mechanism should always be the last entry in an SPF record so that any other mechanisms are evaluated before this ‘catch-all’ mechanism is checked.

For a full list of all SPF Mechanisms and other parameters refer to the openspf.org page on SPF Record Syntax.

SPF Record Qualifiers and Mechanism Examples

Using the wrenmaxwell.com.au SPF record as an example.

 Domain TTL  Record Type Record
SPF Record Example Settings

The version instruction is standard. v=spf1

The +a says check the A records for the domain “wrenmaxwell.com.au” and if the assigned host ip address matches then ‘+’ accept it.

The +max says check the MX records for the domain “wrenmaxwell.com.au” and if the assigned host ip address matches then ‘+’ accept it.

The -all says if the sending server is any other server then “-” fail the server and do not accept the email message as it is not an authorised server.

SPF References:

Configuring Microsoft Office 365 SPF Records https://technet.microsoft.com/en-au/library/dn789058(v=exchg.150).aspx