Sender Policy Framework (SPF) is simple whitelist of IP addresses that are allowed to send emails for a particular domain. This entails configuring a TXT record in the DNS entries. SPF is one of the ways to reduce spam from forged email addresses. The importance of this feature is such that the Internet Engineering Task Force (IETF) has published RFC 7208 dated April 2014 which defines Sender Policy Framework as a proposed standard.
RFC 7208: https://tools.ietf.org/html/rfc7208
What is a TXT record?
A TXT record is short for text record. This type of record can be used to store any human readable information regarding a server, network, data center and other accounting information. Sender Policy Framework also uses this TXT record to store the IP address whitelist.
How does SPF works?
First of all, the sender should configure SPF for their domains and mail server IPs. Then the receiving servers should check the SPF information upon receiving any emails and act according to the specified policy.
Example of an SPF entry below:
v= defines the version of SPF used. The following words provide mechanisms to use to determine if a domain is eligible to send mail. The ip4 and a specify the systems permitted to send messages for the given domain. The -all at the end specifies that, if the previous mechanisms did not match, the message should be rejected.
- ALL Matches always; used for a default result like -all for all IPs not matched by prior mechanisms.
- A If the domain name has an address record (A or AAAA) that can be resolved to the sender’s address, it will match.
- IP4 If the sender is in a given IPv4 address range, match.
- IP6 If the sender is in a given IPv6 address range, match.
- MX If the domain name has an MX record resolving to the sender’s address, it will match.
- + for a PASS result. This can be omitted; e.g., +mx is the same as mx.
- ? for a NEUTRAL result interpreted like NONE (no policy).
- ~ for SOFTFAIL result. Messages that return a SOFTFAIL are accepted but tagged.
- – for FAIL result. The mail should be rejected.