Tutorial

How To use an SPF Record to Prevent Spoofing & Improve E-mail Reliability

Published on July 16, 2013
author

Pablo Carranza

How To use an SPF Record to Prevent Spoofing & Improve E-mail Reliability

Introduction

A carefully tailored SPF record will reduce the likelihood of your domain name getting fraudulently spoofed and keep your messages from getting flagged as spam before they reach your recipients. Email spoofing is the creation of email messages with a forged sender address; something that is simple to do because many mail servers do not perform authentication. Spam and phishing emails typically use such spoofing to mislead the recipient about the origin of the message. A number of measures to address spoofing, however, have developed over the years: SPF, Sender ID, DKIM, and DMARC. Sender Policy Framework (SPF) is an email validation system designed to prevent spam by detecting email spoofing. Today, nearly all abusive e-mail messages carry fake sender addresses. The victims whose addresses are being abused often suffer from the consequences, because their reputation gets diminished, they have to waste their time sorting out misdirected bounce messages, or (worse) their IP addresses get blacklisted.

The SPF is an open standard specifying a technical method to prevent sender-address forgery. SPF allows administrators to specify which hosts are allowed to send mail on behalf of a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use DNS records to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.

Benefits

Adding an SPF record to your DNS zone file is the best way to stop spammers from spoofing your domain. In addition, an SPF Record will reduce the number of legitimate e-mail messages that are flagged as spam or bounced back by your recipients' mail servers. The SPF record is not 100% effective, unfortunately, because not all mail providers check for it. Many do, however, so you should notice a significant decrease in the amount of bounce-backs you receive.

Example SPF Record

An SPF record is added to your domain's DNS zone file as a TXT record and it identifies authorized SMTP servers for your domain.

TXT @ "v=spf1 a include:_spf.google.com ~all"

If you are utilizing the DigitalOcean DNS Manager, make sure to wrap the SPF record with quotes. The following table provides an explanation of the various components of the Example SPF Record:

ComponentsDescription
TXTThe DNS zone record type; SPF records are written as TXT records
@In a DNS file, the "@" symbol is a placeholder used to represent "the current domain"
v=spf1Identifies the TXT record as an SPF record, utilizing SPF Version 1
aAuthorizes the host(s) identified in the domain's A record(s) to send e-mail
include:Authorizes mail to be sent on behalf of the domain from google.com
~allDenotes that this list is all inclusive, and no other servers are allowed to send e-mail

Components of an SPF Record

An SPF record consists of the SPF version number followed by strings comprised of (i) mechanisms, (ii) qualifiers, and (sometimes) (iii) modifiers. SPF clients ignore TXT records that do not start with the version string "v=spf1 ...".

SPF records may define zero or more mechanisms. Mechanisms can be used to describe the set of hosts which are designated as authorized, outbound mailers for the domain. The following list are common mechanisms included in an SPF record:

all | ip4 | ip6 | a | mx | ptr | exists | include

Mechanisms can be prefixed with one of four qualifiers:

QualifierDescription
+Pass = The address passed the test; accept the message. Example: "v=spf1 +all"
-(Hard) Fail = The address failed the test; bounce any e-mail that does not comply. Example: "v=spf1 -all"
~Soft Fail = The address failed the test, but the result is not definitive; accept & tag any non-compliant mail. Example: "v=spf1 ~all"
?Neutral = The address did not pass or fail the test; do whatever (probably accept the mail). Example: "v=spf1 ?all"

If a qualifier is not included, the + qualifier is implied.

SPF records may also define 1 of 2 modifiers; or, no modifier at all. Each modifier, however, can appear only once.

redirect | exp

SPF records are evaluated in a two-pass process: First, all mechanisms and qualifiers are evaluated. Then, all modifiers are evaluated:

  1. Mechanisms are evaluated from left to right;
  2. Modifiers are evaluated on the second pass and can occur anywhere in the record.

Mechanisms

MechanismDescription
allMatches all local and remote IPs and goes at the end of the SPF record. Example: "v=spf1 +all"
ip4Specifies a single IPv4 address or an acceptable IPv4 address range. A mask of /32 is assumed if no prefix-length is included. Example: "v=spf1 ip4:192.168.0.1/16 -all"
ip6Same concept found in ip4, but, obviously, with IPv6 addresses, instead. If no prefix-length is given, /128 is assumed (singling out an individual host address). Example: "v=spf1 ip6:1080::8:800:200C:417A/96 -all"
aSpecifies all IPs in the DNS A record. Example: "v=spf1 a:domain.com -all"
mxSpecifies all A records for each host's MX record. Example: "v=spf1 mx mx:domain.com -all"
ptrSpecifies all A records for each host's PTR record. Example: "v=spf1 ptr:domain.com -all"
existsSpecifies one or more domains normally singled out as exceptions to the SPF definitions. An A query is performed on the provided domain; if a result is found a match occurs. Example: "v=spf1 exists:domain.com -all"
includeSpecifies other domains that are authorized domains. Example: "v=spf1 include:outlook.microsoft.com -all"

The "all" Mechanism

The all mechanism usually goes at the end of the SPF record; and it is prefixed with a qualifier, e.g.

ExamplesDescription
"v=spf1 mx -all"Allows the domain's MX hosts to send mail for the domain, and prohibits all other hosts.
"v=spf1 -all"The domain sends no mail at all.
"v=spf1 +all"This SPF is useless, as it does not limit the hosts that are authorized to send e-mail.

Modifiers

Modifiers are optional and a modifier may appear only once per record. Unknown modifiers are ignored.

The “redirect” modifier sends the inquiry to another domain.

redirect=example.com

That is, the SPF record for example.com replaces the SPF record for the current domain. The redirect modifier is useful to those that wish to apply the same record to multiple domains. For example:

Sample entry in ny.yourdomain.com's zone file:TXT @ "v=spf1 redirect=_spf.yourdomain.com"
Sample entry in sf.yourdomain.com's zone file:TXT @ "v=spf1 redirect=_spf.yourdomain.com"
Sample entry in am.yourdomain.com's zone file:TXT @ "v=spf1 redirect=_spf.yourdomain.com"
Sample entry in _spf.yourdomain.com's zone file:TXT @ "v=spf1 mx:yourdomain.com -all"

For clarity, it is RECOMMENDED that any "redirect" modifier appear as the very last term in a record.

The "exp" modifier sets up an explanation in the SPF record.

exp=[macro-string]

If an SPF query produces a FAIL result, the explanation is queried and the explanation string provides more information to the nonconforming user. The explanation is typically placed in an SPF log. Example: exp=spf-error. An SPF publisher can specify the explanation string that senders see. This way, an ISP can direct nonconforming users to a web page that provides further instructions.

Putting it all together

Although you do not need an SPF record on your DNS server to evaluate incoming email against SPF policies published on other DNS servers, the best practice is to set up an SPF record on your DNS server. Setting up an SPF record lets other email servers use SPF filtering (if the feature is available on the mail server) to protect against incoming email from spoofed, or forged, email addresses that may be associated with your domain. As SPF records are implemented more widely, SPF filtering will become more effective at identifying spoofed email messages.

As always, if you need help setting up your SPF record, look to the DigitalOcean Community for assistance by posing your question(s), below.

Article Submitted by: Pablo Carranza

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors
Default avatar
Pablo Carranza

author

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
10 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Configurei o postfix, o gmail não recebe, qual seria a melhor opçao?

TXT @ “v=spf1 mx a ~all”

?

Kamal Nasser
DigitalOcean Employee
DigitalOcean Employee badge
August 5, 2013

@schroeder.noia: Did you follow a specific article on setting up postfix?

Also, try changing your TXT record to this:

<pre>TXT @ “v=spf1 mx a ip4:<strong>yourdropletsip</strong> ~all”</pre>

Replace yourdropletsip with your droplet’s IP.

In DO DNS TXT record there are 2 fields >enter name >enter text so what values should be placed where?? Is the SPF records to be added for only for main domain or it is need for each and every addon domain?

My DKIm looks like below so what and where do I put these things? <pre> 2012513._domainkey IN TXT ( “v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLuSAevWarq/x” “y98wA0gz6kDDKYjgppYUJuyQ/dWvsvi2yX8gEnXS1yI91A/NmjEomzE90BHSBrgSEv3rxmNViVrN5HU7” “jki1Xja5dNzxwYip9zRLACauG2ZVzagcFZd8EORaLUZhlkkiiiutuytiuyiuyuyATHz0ofJ9ope0Wzu62XCqzB3pmLR5GPM7Lvh”"y6CDW85gIE9JWEbbk8YI/wzxtphfD77tOkDsNDAGul3mhMKFBb1b8unjUIOQSrbv6GSnw9RkAh/PXKr8"“97uO19Ql0CCRltcGZOIFc4DLk3hWRi/SBKomJ+ZSSbOzr45Jkn/iYepr9kxtVSfygR8xrgJd+BSfJIzr”“KI8qnH9kQIDAQAB” ) </pre>

Kamal Nasser
DigitalOcean Employee
DigitalOcean Employee badge
August 6, 2013

@shyamsukhamit: TXT name: _domainkey Text: “v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLuSAevWarq/x”

You’ll need to add them for every addon domain.

just 1 more clarifu\ication as you mentioned that name should be " _domainkey" shouldn’t it be “2012513._domainkey” and should the text be only the “p=xxxxxxxxxxxxxxxx”.

According to the article what is the difference between my txt record(which contains long code" and "TXT @ “v=spf1 a include:_spf.google.com ~all” and where it should be entered if it is required?

Kamal Nasser
DigitalOcean Employee
DigitalOcean Employee badge
August 7, 2013

This article is about SPF records. You’re trying to add a DKIM record which is a completely different thing. Where did you get that DKIM config from? I’ve just checked it and it appears to be invalid.

Yes this is DKIM key, I got it from webmin >email messages > dkim… Sorry I totally messed it up. Can you please tell me from where do I get the spf record and what do I add in DO DNS TXT record?

and please let me know what should be done for DKIM?

Thanks for your help.

Kamal Nasser
DigitalOcean Employee
DigitalOcean Employee badge
August 7, 2013

You don’t get an SPF record – you usually build it yourself. Read this article.

Please take a screenshot of webmin’s DKIM page

In DO DNS TXT RECORD I have entered NAME=@ and text= “v=spf1 mx:yourdomain.com -all” is that the correct way of inputting the value @kamal?

I Think that DKIM is also added in TXT record of the DNS am I correct? that values I have put above are little bit modified. If you want I can pastebin the content of the DKIM.

Thanks for the help

Or I should replace the yourdomain.com with droplet IP?

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.