Mastering SPF Record Syntax To Ensure
Accurate Domain Email Authentication Policies


Email serves as an essential means of communication for both companies and individuals; however, it is often vulnerable to threats like spoofing, phishing, and spam. To address these concerns, domain owners implement SPF (Sender Policy Framework) records, which are crucial for email verification. These records identify the mail servers that have permission to send emails on behalf of a specific domain. Nonetheless, improperly configured SPF records can result in problems such as undelivered messages, security risks, or authentication failures.


What is an SPF Record?


An SPF record is a specific kind of DNS TXT entry that specifies which IP addresses or domains have permission to send emails on behalf of your domain. When an email is received, the mail server verifies the sender's domain's SPF record to confirm that the sending server is permitted.

Setting up a correctly configured SPF record safeguards your domain by minimizing the chances of email spoofing and phishing attempts.



spf-record-syntax



SPF Record Syntax: Understanding the Structure


Basic Structure

  • v=spf1: This indicates the SPF version in use and must be placed at the beginning.

  • ip4 / ip6: Defines the permitted IP address ranges allowed to send emails.

  • include: Incorporates the SPF record from another domain, commonly utilized with external services.

  • a / mx: Grants permission to servers specified by your domain's A or MX records.

  • all: A universal rule positioned at the end of the record, accompanied by a qualifier to determine the handling of emails that do not conform to earlier rules.

SPF Qualifiers

  • + (Pass): This is the standard outcome if no qualifier is provided.

  • - (Fail): Clearly not permitted.

  • ~ (SoftFail): Not permitted, but allow and note the message.

  • ? (Neutral): No established policy exists.

Common SPF Mechanisms Explained


IP4 and IP6

In an SPF record, the ip4 and ip6 mechanisms designate particular IP addresses or address ranges that are permitted to send emails for a given domain. For instance, the entry ip4:198.51.100.1 allows only one specific IPv4 address, whereas ip4:198.51.100.0/24 covers all addresses within that subnet. Likewise, the ip6:2001:db8::/32 entry provides authorization for a range of IPv6 addresses, granting extensive yet regulated permissions for sending emails from selected IP blocks.


A and MX

  • a: Grants permission for the IP addresses associated with your domain's A records.

  • mx: Grants permission for the IP addresses of the mail servers specified in your domain's MX records.


Include

When utilizing third-party services such as Google Workspace, Microsoft 365, Mailchimp, or SendGrid, the use of the include: mechanism is crucial.

Warning: Every include: entry increases the number of DNS lookups. SPF has a maximum limit of 10 DNS lookups, and exceeding this threshold will result in a "permerror" (permanent error), which could disrupt your email authentication process.


All

Always place "all" at the conclusion. This signifies the action to take when none of the earlier mechanisms apply:

  • -all: Reject (most stringent, advised for DMARC enforcement)

  • ~all: Soft fail

  • ?all: Neutral

Best Practices for Configuring SPF Records


1. Start with a Clear Policy

Determine whether your domain should implement strict policies (-all) or more flexible ones (~all). While strict policies enhance security, lenient policies can help minimize the chances of email rejections when you're in the process of implementation or testing.



spf-record-syntax-1-



2. Minimize DNS Lookups

To remain within the 10-lookup limit, only utilize necessary include statements. While flattening SPF records by converting includes to direct IP addresses can be beneficial, it's important to consider the implications for ongoing maintenance.


3. Test Your SPF Records

There are numerous dependable tools available for verifying your SPF records. For instance, MXToolbox's SPF Record Check evaluates both syntax and the number of DNS lookups. Another option is the Kitterman SPF validator, renowned for its precision in spotting frequent SPF misconfigurations. 


4. Combine with DKIM and DMARC

Relying solely on SPF does not provide complete protection. To enhance your email authentication strategy, incorporate DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) alongside SPF for a more robust defense.


Common SPF Errors to Avoid


  • Exceeding Lookup Limits: If you surpass the 10-lookup threshold, your SPF record will become invalid.

  • Single SPF Record Requirement: Each domain can have only a single SPF record; merge them if necessary.

  • Properly Concluding with an All Mechanism: Ensure your SPF record concludes with a suitable all mechanism.

  • Avoid Outdated Syntax: Always declare SPF as a TXT record and steer clear of the obsolete SPF record type. Easily reveal details with a single click.