How to set up SPF records
by ZetaGecko | 6 Comments | Email
SPF is an emerging standard that let's the owners of domain names tell people who receive email claiming to be from that domain name which SMTP servers are allowed to send email from that domain name. That's a slightly complex sentence, so let me give you an example. Then I'll make a note or two about how to add SPF records to your DNS settings. There is a point or two that is quite difficult to figure out from the documentation I've found online, but once you figure it out, it's not that difficult. So, the example of the process:
1) A spammer sends an email with a fake address--let's say that address is fakeaddress@geckotribe.com.
2) It leaves their email client and goes through their ISP's SMTP server--let's say that's smtp.spammerisp.com (in reality, they probably wouldn't use thier ISP's SMTP server, but we'll ignore that fact).
3) The message arrives at the recipient's (poor@sucker.com) mail server (mail.sucker.com).
4) Their mail server (mail.sucker.com) checks the sender's address (fakeaddress@geckotribe.com), extracts the domain name from it (geckotribe.com).
5) mail.sucker.com asks the DNS server for geckotribe.com (ns.geckotribe.com) for a list of SMTP servers that are allowed to send email addressed from geckotribe.com (like fakeaddress@geckotribe.com).
6) ns.geckotribe.com replies that mail.geckotribe.com and mail.myhomeisp.com are allowed to send such email, and no one else.
7) mail.sucker.com notes that smtp.spammerisp.com is not on the list.
8) mail.sucker.com either rejects the message or marks it in some way so that the recipient knows that the SPF check failed, so it's likely that it's spam.
There's the process. How does the administrator for geckotribe.com set up the DNS record to indicate that mail.geckotribe.com and mail.myhomeisp.com are allowed to send email addressed from geckotribe.com? Here are two lines that need to be added to the DNS configuration file, followed by an explanation of them:
geckotribe.com. IN TXT "v=spf1 a:mail.geckotribe.com ?include:myhomeisp.com -all"
mail.geckotribe.com. IN TXT "v=spf1 a:mail.geckotribe.com -all"
On the first line:
• geckotribe.com.: this indicates "mail address from somebody@geckotribe.com. Note the "." after ".com". You can either put that dot there, or omit "geckotribe.com." completely.
• IN TXT: Indicates that this is a text record. Trust me. That's what you want.
• v=spf1: Indicates that this is an SPF version 1 record. You need this.
• a:: An "A" record (not a CNAME, TXT, MX, NS... or other type of DNS record). IMPORTANT NOTE: "a:" could have been prefixed with a plus sign, ie., this could have been "+a:mail.geckotribe.com". The plus sign is optional--it is the default prefix. It means that if this rule matches, then the sender is legitimate. I'll mention other prefixes later.
• mail.geckotribe.com: Lookup the IP address for mail.geckotribe.com--if that's the IP address you're getting the mail from, then it's legitimate.
• ?: The question mark prefix means that if the following rule matches, the sender may or may not be legitimate. I'll tell you why you'd use a question mark here in a minute.
• include:: This means that I don't know the IP addresses or fully qualified domain names of the mail servers that I'm going to talk about next, but I'm going to name of the domain that you should ask for that information.
• myhomeisp.com: This is the domain name of the ISP I connect to the internet through when I'm at home. Now to answer the question of why we prefixed this rule with a question mark. It's because when I send email via my ISP, it's legitimate, but if somebody else with the same ISP sends mail claiming to be from geckotribe.com, it's not. The question mark says "don't rule it out, but it might not be legitimate".
• -: The minus sign says that if the following rule matches, then sender is not legitimate.
• all: This rule matches anybody who wasn't already matched by one of the preceding rules.
Briefly, the second line means that if mail claims to be from somebody@mail.geckotribe.com, it's legit if it came via mail.geckotribe.com, but not if it came from anywhere else.
To recap and point out a few more things:
• You put multiple rules on each line. They are evaluated from left to right until one matches. The rest are ignored.
• "+" means legitimate, "?" means it might be legitimate, and "-" means it's not legitimate.
• Each rule starts with a prefix (if none is specified, then the default is "+") followed by "a", "include", "ptr", "mx" or one of a few other things (check the specifications for details) followed by a colon.
• You should end each line with ?all or -all. Use ?all if you want to be able to send email through any ISP (for example, if you send email from your laptop as you travel all over the place). Use -all if you know (and have indicated earlier on the line) every possible SMTP server that you might send email through.
It's all clear now, right? Yeah. Clear as mud. Here's hoping this helps us curb the tide of SPAM.
June 14th, 2008 at 1:33 am
Now that I've written an SPF record what do I do with it?
June 14th, 2008 at 3:35 am
You add it to the zone file for your domain name, update the serial number for your DNS configuration (also in that file), upload it to your DNS server, and restart your DNS server software (probably BIND) to get it to reread your zone file. Either that your you send it to whoever handles your DNS and ask them to add it to your zone file.
December 1st, 2010 at 5:24 pm
[...] have SPF DNS records (many servers reject mail without a valid SPF, GMail for example, here’s an explanation and a [...]
October 3rd, 2011 at 9:55 am
[...] I just checked the recent stats on one of my other blogs, and it turns out the article that’s pulling in the second highest amount of traffic is one I wrote back in 2004 explaining how to set up SPF records for your email server. [...]
September 6th, 2013 at 2:09 am
[...] have SPF DNS records (many servers reject mail without a valid SPF, GMail for example, here’s an explanation and a [...]
November 2nd, 2015 at 6:01 am
[…] have SPF DNS records (many servers reject mail without a valid SPF, GMail for example, here’s an explanation and a […]