As we’ve been working through migrating email delivery from Barracuda ESS to Proofpoint, one of the issues that pop up would be in regards to SPF records. I figured I’d give a quick overview about how SPF records work and why this could be an important issue.
SPF records are TXT records in DNS. These records are intended so that you can publish which mail servers are authorized to send email on your domain’s behalf. The way it works is this:
- email@example.com sends email to firstname.lastname@example.org.
- Contoso.com email server looks up MX records for fabrikam.com to route the email to the appropriate receiving mail server or spam filter
- Fabrikam.com spam filter accepts the connection and performs an SPF record lookup
- The fabrikam.com spam filter requests all TXT records for contoso.com
- The fabrikam.com spam filter analyzes the response for a TXT record that contains a line similar to “v=spf1 …”
- The fabrikam.com spam filter checks to see if the contoso.com email server IP address is listed in the TXT record response.
- If Yes, the email is accepted and processed as expected
- If No, the email is rejected with an NDR
SPF records are used to help mitigate phishing and spoofed messages. If you receive an email from amex.com saying you owe a huge bill (“Click here to log into your account and pay”), an amex.com SPF record could help prevent you from receiving that phishing attempt because the actual sender wouldn’t be authorized to send email as amex.com.
The downside is that this truly depends on the recipient checking SPF records. You as a sender can do absolutely nothing, other than creating the TXT record, to force SPF checking on anyone. But if you have the record available, then you can be better protected. It takes very little time and is a worthwhile thing to set up.
When creating an SPF record, there are many tools online to help you format it properly. The biggest thing is to make sure that the final mail server sending your email is listed in the record.