DNS /
SPF
The Sender Policy Framework
Read up on the Sender Policy Framework.
Why?
There's nothing stopping someone from pretending to send mail from a fake address. A scammer might send an from ceo@megacorp.com as follows:
Please send me $10,000 to my temporary bank account 0123456789.
How can we determine if sender's email address is fake or real? Sender Policy Framework (SPF) is one tool.
What it does
SPF is a system that your mail server uses to check if the sender of the email comes from the right server.
Almost all mail servers will check for SPF records. So, if you don't want your mail to be marked as spam or phishing, you will want to set up proper DNS records.
How it works
Qualifier | Result | Meaning | Action |
---|---|---|---|
+ | Pass | Can send | Accept |
- | Fail | Cannot send | Reject |
~ | SoftFail | Cannot send but still in transition | Accept but mark |
? | Neutral | Neutral | Accept |
None | No matching SPF record | Accept | |
PermError | Error (bad SPF record) | Unknown | |
TempError | Temporary Error | ? |
Mechanism | Meaning |
---|---|
all | Always matches |
ip4:<address>/<prefix> | Matches IPv4 address/subnet |
ip6:<address>/<prefix> | Matches IPv6 address/subnet |
a:<domain> | Matches IPv4 address from A record (or AAAA record if IPv6); uses current domain if none given |
mx:<domain> | Matches IP addresses of MX records; uses current domain MX if none given |
Record | Meaning |
---|---|
"v=spf1 mx -all" | Allow MXes to send mail, deny all others. |
"v=spf1 -all" | The domain cannot send any mail. |
"v=spf1 +all" | Anyone can send mail for this domain (SPF becomes useless) |
"v=spf1 ip4:192.168.0.1/24 -all" | IPs between 192.168.0.1 and 192.168.0.255 can send |
"v=spf1 ip6:2001:db8::/96 -all" | The IPv6 subnet 2001:db8::/96 can send |
"v=spf1 a -all" | IPs from current domain can send mail |
"v=spf1 a:example.com -all" | IPs from example.com can send mail |
"v=spf1 mx mx:mail.example.com -all" | IPs from MX servers for current domain and mail.example.com can send |