Blog: SPF

As we’ve been working through migrating email delivery from Barracuda ESS to Proofpoint, one of the issues that pop up would be in regards to SPF records. I figured I’d give a quick overview about how SPF records work and why this could be an important issue.

SPF records are TXT records in DNS. These records are intended so that you can publish which mail servers are authorized to send email on your domain’s behalf. The way it works is this:

  1. jdoe@contoso.com sends email to jsmith@fabrikam.com.
  2. Contoso.com email server looks up MX records for fabrikam.com to route the email to the appropriate receiving mail server or spam filter
  3. Fabrikam.com spam filter accepts the connection and performs an SPF record lookup
    1. The fabrikam.com spam filter requests all TXT records for contoso.com
    2. The fabrikam.com spam filter analyzes the response for a TXT record that contains a line similar to “v=spf1 …”
    3. The fabrikam.com spam filter checks to see if the contoso.com email server IP address is listed in the TXT record response.
      1. If Yes, the email is accepted and processed as expected
      2. If No, the email is rejected with an NDR

SPF records are used to help mitigate phishing and spoofed messages. If you receive an email from amex.com saying you owe a huge bill (“Click here to log into your account and pay”), an amex.com SPF record could help prevent you from receiving that phishing attempt because the actual sender wouldn’t be authorized to send email as amex.com.

The downside is that this truly depends on the recipient checking SPF records. You as a sender can do absolutely nothing, other than creating the TXT record, to force SPF checking on anyone. But if you have the record available, then you can be better protected. It takes very little time and is a worthwhile thing to set up.

When creating an SPF record, there are many tools online to help you format it properly. The biggest thing is to make sure that the final mail server sending your email is listed in the record.


 

We recently needed to create SPF records for one of our customers’ several email domains. Sender Policy Framework is implemented as a DNS TXT record and it’s designed to provide a mechanism to allow an email server to verify the valid IP addresses for a given email domain. The syntax can be a little tricky so I found several good sites to help generate the SPF. One of the best was Microsoft’s, which retrieves the actual IP addresses from DNS to build the TXT record. After you answer a few questions about email flow it creates the record which you can copy/paste into your DNS configuration.
 
https://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/