Understanding DNS SPF records

July 29th, 2008 | Posted in Configuration, HOW-TOs, Servers by Spyder

I recently needed to configure some email servers to comply with the SPF (Sender Policy Framework) standard and allow email users to send email to Yahoo, Hotmail and other public email services.

The problem was that the email sent to those servers was bounced or simply ignored. This was due to the absence of DNS SPF records for the user domains.

All is done at the DNS level and the email servers don’t need to be configured to send email with SPF compliance.

What is a DNS SPF record?

It is simply a TXT record at the DNS server for the domain from which the email is sent. It represents a way to tell the receiving email server what servers are allowed to send email for that domain.

If we are sending email from address me@example.com and our mail server is mail.example.com, then we need to tell the receiving email server that the server mail.example.com is allowed to send email for the example.com domain.

The SPF record syntax

All the SPF records start with an identification that the TXT record is an SPF, this means that they need to start with:

“v=spf1 …”

(The “…” means that the record is incomplete, and is not part of the SPF syntax)

The number after “spf”  is an index, allowing to have one or more SPF records for the same domain.

Now that we have identified the record as an SPF, we must start defining what servers are allowed to send email for our domain. This is done with a series of mechanisms:

a

Means that our example.com domain allows the own example.com host to send email for it, let’s see how it would be like in the record:

“v=spf1 a …”

mx

Represents that the hosts identified by our example.com MX DNS records (the servers that receive email for that domain) also are allowed to send email for it. At the record we would put:

“v=spf1 mx …”

or

“v=spf1 a mx …”

to continue with the prior mechanism.

ptr

Allows any domain ended with example.com domain (for instance relay.example.com or adonis.example.com) to send email for the domain example.com . This is not recommended because it is not a safe rule, but in some cases is needed, so it would be like:

“v=spf1 a mx ptr …”

a: mx: ptr:

These mechanisms are similar with the already described but the ‘:’ means that we will pass a host name as an argument to that mechanism. This means that, instead of searching the DNS records at the current domain, the receiving email server will get the server records from the passed host name. An example would be:

“v=spf1 a:mail3.other.com …”

meaning that the server with the host name mail3.other.com is allowed.

To allow the MX records of another server we would need the following:

“v=spf1 mx:other.com …”

and if the MX record of the domain other.com defines mailnow.other.com as it’s receiving mail server, this same server will be allowed to send email for our example.com domain.

With the “ptr:” is the same. Imagine that we wanted to allow any host ending with “our-isp.com” to send email for example.com, the SPF record would be like:

“v=spf1 ptr:our-isp.com …”

ip4: ip6:

Analogously, if we need to specify IP addresses instead of domains, we would use these mechanisms for IPv4 and IPv6 addresses or networks respectively. An example record would look like:

“v=spf1 ip4:10.0.0.1/24 …”

include:

This is a useful mechanism that allow us to include other domain SPF record as ours. With it we can configure that our mail will be handled the same way as our ISP defines in his own SPF records. Let’s see how this is done:

“v=spf1 include:our-isp.com …”

all

This mechanism represents what to do with all other domains not specified. Usually you want to define that all other domains are not allowed to send email for your domain, this is done with:

“v=spf1 … ~all”

Identical result would be obtained with:

“v=spf1 … -all”

If you want to ignore the other domains and let the receiving email server decide for you, the SPF record will look like:

“v=spf1 … ?all”

Otherwise, if you don’t like this SPF thing and want to allow any server to send your email (this should not be used as you easily understand), here is a simple record for it:

“v=spf1 +all”

With a record like this you are telling: Hey spammers, use my server to send spam email in my name!

Where to go for more information?

The Sender Policy Framework official website is:

http://www.openspf.org/

And if you want a wizard to help construct your SPF and do some tests with it go to:

http://old.openspf.org/wizard.html

I hope to have simplified this a bit and that this information helps you to define correct SPF records.

Let us do our part to help stopping spam!

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • Reddit
  • Technorati
  • Slashdot
  • Ma.gnolia
  • E-mail this story to a friend!
  • Print this article!
Tagged in: , , ,

0 Responses to “Understanding DNS SPF records”

Feed for this Entry Trackback Address
  1. No Comments

Post a Comment

You must be logged in to post a comment.

RSS for Posts RSS for Comments