What is an SPF record and why do I need it?
On a letter that you send by mail, you can enter your address information so that the recipient knows from which address this letter comes. You can also put a different address on here, so it looks like the letter is coming from a different address. Sending e-mail works similarly. You send an e-mail from your e-mail address. The recipient then knows that this mail is from you. But as with the letter that comes in the mail, you can make it appear that the e-mail is sent from a different e-mail address. Forging the e-mail address is possible because the e-mail protocol does not check by default whether the person sending the e-mail is allowed to do so on behalf of the specified domain.
An SPF record (Sender Policy Framework) can counter this and prevent spammers from entering your address as being the sender.
How does an SPF record work?
By adding an SPF record to your domain name’s DNS, you can prevent emails from being sent on behalf of your email address without your permission.
This actually works fairly simply. You create a special SPF record in your domain name’s DNS, explicitly indicating which servers and IP addresses are allowed to send mail on behalf of your domain.
There is also another side to having an SPF record. Indeed, based on the SPF record, a receiving server can decide to allow an e-mail through, mark it as unsafe or reject it altogether. Newer and more secure mail servers also check for the presence of an SPF record and, in its absence, will not accept the mail in advance.
How is an SPF record constructed?
An SPF record consists of several components, each of which has its own functionality.
- Each SPF record begins with v=spf1. This indicates that the record is an SPF.
- With to a, you define that mail may be sent from all A records in the domain’s DNS.
- It is also useful to add mx, which defines that mail may be sent via that domain’s MX records.
- With a:domain.ext , you specify that the e-mail may be sent by the server behind the A record of domain.ext.
- With mx:domain.ext , you specify that the e-mail is allowed to send through the server behind the MX records of domain.ext.
- Then you can still specify which IP addresses are allowed to send from your domain. You specify this as follows, ip4:220.127.116.11 (sample IP address, which consists only of numbers and dots).
Through What’s my IP, you can find out what your IP address is.
- You can also specify that the SPF record of SQR.NL should be used with your own domain name, include:spf.hosting.nl. This record contains all the servers and IP addresses that SQR.NL uses for its customers.
- Finally, you specify whether the receiving mail server should return a softfail or a deny in response. In the case of a softfail, the mail is let through for now, but can be flagged. With a deny, the receiving mail server refuses the message and returns an error message to the sender. A softfail is indicated by ~all and a deny is indicated by -all.
Now the practice
My domain is ‘janjansen.nl’ and I send my e-mail through the mail server ‘mail.hosting.nl’. So if I want to prevent someone from using my domain, I create the record below in my domain’s DNS:
"v=spf1 mx a include:spf.hosting.nl -all"
The SPF record controls the MX records, the A record and via the include all IP addresses used by SQR.NL.
Now I also use a separate e-mail program to send newsletters. In order for this mail program to be authorized to send mail on behalf of ‘janjansen.nl’, I still need to add this mail server to my SPF record. The program uses the mail server ‘include:spf.mailexample.com’ for this purpose. My SPF record then comes out as follows:
"v=spf1 mx a include:spf.hosting.nl include:spf.mailvoorbeeld.com -all"
Sometimes you can forget to add a mail server to your SPF record. The moment you then send mail from that server, you will get a bounce message back saying that this server is not authorized to send mail on behalf of your domain name. This bounce notification will tell you exactly which server is not included in the SPF record and what steps you need to take to ensure that you can mail with this server in the future.
Since 2019, you will receive error messages when sending to Gmail addresses if no SPF record is added to your domain name’s DNS. We have written an additional blog article on this.