Sender Policy Framework or SPF record is a type of email authentication strategy that identifies whether the emails that proclaim to be sent from an IP address are actually approved by the administrators of that domain. The record is in the form of DNS TXT which contains the list of authorized email servers that can send an email on the behalf of your domain name. SPF records defend your domain by preventing spammers from sending messages with bogus From: addresses attached to your domain.
SPF records are defined using the TXT record type. An SPF record is usually defined as a single string of text. Usually, the SPF record starts with v= element is the one which indicates the SPF version that is being used. The most common SPF version in use is spf1 since it is easily understood by most of the email exchanges.
v=spf1 a mx ip4:126.96.36.199 include:_spf.google.com ~all
The version indicators are followed up with terms that are made up of modifiers and mechanisms. The terms define rules set for which hosts can send mail from the domain as well as these provide additional information for processing the SPF record.
The defined mechanism includes:
All: Policy for ‘all the other sources’ can be set using the ‘all’ mechanism. This should be placed at the end of your SPF record while providing a ‘default’ for other sources. You should use a qualifier for defining the policy that has to be applied.
a: Defines a record of the current or specified domain as an authentic sending source.
Include: Only a single SPF record is allowed for a domain but with the "include" mechanism, multiple domains can be listed within that single record)
ip4: Defines the ip4 address
ip6: Defines the ip6 address
mx: Defines the DNS MX record for the current or specified domain as an authentic sending source.
Exists: This mechanism checks the existence of A record for a domain. In order to handle a match, these mechanisms may specify qualifiers including:
+ for pass,
- for fail,
~ for soft fail,
? for neutral
The defined modifiers include:
exp: The ‘exp’ modifier is used for providing an explanation in case ‘–‘qualifier is present on a mechanism which is matched.
redirect : This modifier is used when the organization has multiple domains and wants to apply the same SPF content across multiple domains. SPF records must limit the number of mechanisms and modifiers requiring DNS lookups to 10 per SPF check. In order to exceed the maximum number in a single SPF record, you are required to send some of the messages from subdomains beneath your naked domain.
SPF helps in increasing the chance of your email landing in the inbox by building up the trust with ISPs. Along with DMARC and DKIM, it serves as an extra layer of security that reduces backscatter bounces and error notifications. Your email will be delivered without trouble as SPF ensures that your email is secured against any type of spoofing.
KDMARC analyses your SPF record and provides a report that allows the experts within your organization to set the record appropriate for the organization.