Posts tagged as:

sender policy framework

So, How do I Create an SPF Record?

by David Setzer on July 15, 2009

On Monday we looked at SPF records and why they are important specifically to spam filters and email security in general. So today, lets take a look at how you create an SPF record for your domain.

As a quick review, an SPF record is a DNS based text string that a receiving email server can query and parse to find out what IP addresses the domain owner says should be sending email for the domain. Now, at first it seems like creating the SPF should be a pretty simple task. Simply use the syntax to say “these are my legitimate IPs”. But, it’s a little more complicated than that. SPF has a number of options which allow the domain owner to add some nuance to the result.

I’m not going to delve into all the possibilities here. But a great resource site for you is the OpenSPF project site. So, here is a breakdown of the SPF syntax where you can dissect all of the possibilities. Let’s look at two of the most common setups though:

1. First let’s look at an example of an SPF record that says “My MX records are the same and ONLY IP addresses I use to send outbound email”. This record would look like “v=spf1 mx -all”. Where “v=spf1″ gives the version of SPF used and “mx” is the command to allow all IPs that are associated to the A records in your MXs and “-all” specifically disclaims any other IPs. ***WARNING*** if you are using Mailprotector or another cloud based email security service do NOT create this SPF. Your MX records are not the same IPs that you send outbound mail through.

2. Now, here is an example of an SPF record that specifically defines the IP addresses which send mail. This record says “These are the ONLY IP addresses which send mail for my domain”: “v=spf1 ip4:192.168.0.1/16 -all”. For IP ranges, SPF uses CIDR notation. In this record “v=spf1″ again defines the version of SPF used, “ip4:192.168.0.1/16″ says “allow all ip4 addresses from 192.168.0.1 to 192.168.255.255″ and the “-all” again specifically disclaims all other addresses. So, you simply substitute your IP(s) or range(s) for the one listed in this example. If you have multiple, just add them one after another with a space between keeping the “-all” at the end. If you are a Mailprotector customer and using our outbound filtering you can get a list of the possible outbound sending ranges from the Help tab in your console.

The OpenSPF site has a great FAQ and Common Mistakes section.

Now, in conclusion I’ll just add the nice big disclaimer…use at your own risk; while not an SPF expert I do play one on TV; past SPF functionality does not guarantee future performance; the author of this article specifically disclaims any shred of truth to this material in this universe or any other. Seriously though, check out the OpenSPF site and go create your record. It’s simple and will help prevent your domain from being forged.

What is SPF and why does it matter?

by David Setzer on July 13, 2009

SPF stands for Sender Policy Framework and is an anti spam/anti spoofing tool which domain owners can use to tell receiving systems about their valid outgoing email server’s IP addresses. It is used to identify whether or not an email which purports to be from a specific domain is originating from the email servers the domain owner says are legitimate.

Let’s back up for a minute though and figure out why this is important in terms of email security. Part of the email message is what’s called the “envelope”. Just like a piece of regular mail I can write whatever return address I would like on the envelope as well as in the letter itself. The receiver has no way of knowing if that return address is valid. The one additional piece of information we do know with email though, is what IP address connected to our email server and delivered the message. While we still don’t know if the return address is valid, using SPF we can ask the domain owner if that IP should be sending mail for the domain.

SPF data is created as a DNS record and administered through the DNS system. In most DNS software the SPF record must be entered as a TXT record, however newer versions are now including capability to add SPF as an additional record type along the lines of an A, MX, or CNAME. Since it is only the true domain owner that controls a domain’s DNS it can be reasonably assumed that domain related DNS data is authentic.

The domain owner has a number of options in creating an SPF record that range from no record at all or “I’m not going to tell you anything about my sending IPs” across the spectrum to an absolute record which tells the receiving server “These are my outgoing email servers ONLY.”

It’s important to remember here that like many other anti-spam measures, SPF records are informational only. It is ultimately the receiving entity’s decision as to what action to take in their spam filter with this information. It’s also important to note that SPF cannot be used to determine the authenticity of the sender. It is limited to verifying if a sending ‘from’ address is coming from an IP authorized by the domain owner to send email.

Stay tuned for Wednesday when we’ll talk more about the technical implementation of SPF and how to create the most common SPF record.