What is an SPF record?
An SPF record is a line of text published in the DNS that contains the list of authorized IP addresses from which email can be sent for the domain. When a mail server receives a message, it can check the IP address in the email header to see if it matches the address in the SPF record. If there is no match, the email does not pass the SPF test.
What is an SPF record's format?
An SPF record is a special form of a DNS TXT record. An SPF record enables organizations to list all legitimate sources that are permitted to send email on behalf of the concerning organizations domain.
Authenticating legitimate sending sources by including these senders in the SPF record gives the receiver (receiving systems) information on how trustworthy the origin of an email is and it can significantly improve the overall deliverability of an organizations email channel.
In practice, an SPF record on its own is not enough to fully protect an email channel as it is not capable to prevent domain name spoofing and has some limitations.
SPF has a few technical limitations that are difficult to overcome. Although multiple sending servers can be added in the SPF record, it cannot exceed 255 characters. The DNS TXT record itself is limited to 255 characters which introduces a difficulty of splitting a record into multiple lines. The existence of a DNS lookup limit of 10 can lead to serious problems due to the widespread adoption of third-party sending organizations. For a lot of organizations the standard SPF implementation is not sufficient.
To ensure email deliverability and security of the email channel, it is desired to add virtually unlimited sending servers to the SPF record. Mimecast DMARC Analyzer SPF Delegation allows users to add unlimited sending servers (lookups) in a user-friendly interface. Leveraging SPF delegation will reduce risk and it will significantly fasten DMARC deployment projects. SPF delegation enables a safe, smart and fast way to reach a DMARC reject policy.
Mimecast encourages the use of DNS Delegation for SPF as it complements a DMARC project.
Improving your SPF record with DMARC
Sender Policy Framework (SPF) is an email authentication method that helps to stop spam, spoofing and email attacks. Using the SPF email protocol, organizations can publish an SPF record in the domain's DNS that identifies the mail servers authorized to send email for the domain. With this information, ISPs and receiving mail servers can perform an SPF test, checking the SPF record to see whether an email is sent from an authorized server.
While using the information in an SPF record can block some threats, it does nothing to stop email where only the "from" address is spoofed. Also, an SPF check won't work on a forwarded email. And for SPF to be effective, an organization must keep its SPF record constantly updated – a task which can be difficult over time as organizations change ISP providers.
Domain-based Message Authentication, Reporting & Conformance, or DMARC, is an email validation method that builds on the SPF and DKIM protocols. An email must pass SPF and/or DKIM authentication, and the information in the "from" address must align with other information known about the sender from the SPF record or DKIM signature. Most helpfully, DMARC also outlines how messages that fail to authenticate should be processed.
Despite the many benefits of the DMARC protocol, it can be challenging for organizations to implement and manage this powerful authentication technique. That's where Mimecast can help.
SPF record FAQs
What is SPF email authentication?
The SPF email authentication technique enables a domain owner to publish information in an SPF record in the DNS that lists the IP addresses authorized to send email for the domain. A receiving mail server can check that list against the IP address in any incoming email to determine whether the message is authentic.
What are the limitations of SPF email authentication?
SPF email authentication has a few major limitations. It can only check the authenticity of the envelope from address but cannot identify emails where the sender is spoofing the display name or the header from address in the message. SPF breaks when a message is forwarded and maintaining and updating SPF records can be a challenge as brands add new mail streams or change ISPs.