This is part 3 of an 8 part series on Email Authentication, to go to part one click here.
Sender Policy Framework (SPF)
For purposes of clarification, the term SPF used in this section refers to SPFv1 or SPF Classic. SPF 2.0 will be discussed in the next section under Sender ID.
Sender Policy Framework (SPF) is an open email authentication standard used to prevent sender address forgery. Using DNS records, it allows senders to publish a list of IP addresses, or server names that are authorized to send on their behalf. SPF authenticates the domain used in the “envelope” or return-path email address. This address is used during the transport of the message (from mail server to mail server,) and is primarily used to “bounce” or return undeliverable mail back to the sender. It is an internal address and is typically not displayed by mail programs.
Creating and Publishing SPF Records
A sender will publish an SPF record for a given domain. This record is a DNS text record that uses different “mechanisms” to identify what hosts are authorized to send on behalf of that domain. These mechanisms include: IP addresses, A records, MX records, and PTR records. SPF records can also include other SPF records as mechanisms to identify authorized hosts.
The following is an example of an SPF record:
example.com. TXT “v=spf1 a mx ip4:192.168.1.1 include:example.net –all”
Item | Description |
---|---|
example.com | The sending domain that is publishing the SPF record |
TXT | Specifies that this is a DNS text record |
v=spf1 | Tag that specifies that the text record is using SPF |
a | Specifies that the A record of example.com is an authorized host to send on behalf of example.com |
mx | Specifies that the MX record of example.com is an authorized host to send on behalf of example.com |
ip4:1.2.3.4 | Specifies that the IP address 1.2.3.4 is authorized to send on behalf of example.com |
include:example.net | Specifies that the mechanisms found in the SPF record of example.net can also be authorized to send on behalf of example.com |
-all | Specifies that the hosts included in the SPF record are the only hosts allowed to send on behalf of example.com – all other hosts are not authorized |
A key part of an SPF record is the “all” mechanism. It is used as the rightmost mechanism, and is also what determines how complete the record is. In the above example, a dash (-) “qualifier” is used to signify that only the hosts included in the respective SPF record are authorized for that domain. There are other qualifiers that can be used as well. For example:
To signify that there are other hosts that possibly can send, or are in transition to do so on behalf of the domain, the SPF record would be terminated with “~all”.
To signify that it is not known if any of the hosts are authorized to send on behalf of the domain, the SPF record would be terminated with “?all”.
Authenticating SPF Records
ISPs that authenticate inbound email using the SPF record will check the mechanisms in order until one is found that authenticates the domain successfully. If a mechanism is found that passes, the ISP can then accept the message for delivery. If a mechanism is found that is either not valid, or not definitive in what hosts are authorized to send on behalf the respective domain, the ISP can opt to either accept the message but mark as invalid, or to not deliver the message at all.
>>Continue on to The Complete Guide to Email Authentication, Part 4