Protect Your Domain From Email Spoofing with SPF

Print
Matthew Fisher - November 15, 2021

Cover image for article: Protect Your Domain From Email Spoofing with SPF.
local_offer Domain Management
local_offer Security
Get control over who can send email from your domain to reduce spoofing attacks.

Why You Should Use SPF

Email is a powerful communication tool that requires proper configuration to protect against attacks. SPF records help publish and maintain your domain's security, which benefits both email administrators as well as customers with emails coming from an approved sender address.

In today's cybersecurity environment, attacks can come from many angles, even from within your own organization. SPF uses the Domain Name System (DNS) to allow you to maintain a list of external domains and IP addresses that are allowed to send emails on behalf of your organization.

In this article, I will cover the essential information you need to know to create and maintain SPF records for your domain.

How SPF Works

SPF stands for Sender Policy Framework. An SPF record is a text record published on your DNS server that specifies a list of senders (domains and IP addresses) who are authorized to send emails from your domain. Most email services will reject emails coming from your domain that are not authorized by your organization's SPF policy. Having an SPF record published on your domain authorizes services to send email on your behalf and helps to prevent email spoofing.

SPF is a standard, as defined in RFC 7208 - Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. The SPF standard defines a text string, published as a TXT record, that implements your sender policy. An example SPF record is shown below:

v=spf1 mx include:networkcalc.com ip4:123.234.123.234 -all

SPF records consist of multiple terms that are separated by spaces. I will describe how each of the terms are formed next.

All SPF records begin with a version specification. The first term for all SPF records must be v=spf.

Mechanisms

Following the version, an SPF record has one or more mechanism terms. A mechanism in an SPF record is a term that is evaluated and results in one of three possible conditions: match, not match, or exception. The table below shows all of the types of SPF mechanisms:

Mechanism How it is Matched
a Match if the sender's IP address is the same as any of this domain's A records
mx Match if the sender's IP address is the same as any of this domain's MX records
ip4 Match if the sender's IP address is within a given IPv4 network
ip6 Match if the sender's IP address is within a given IPv6 network
exists Match if a valid domain exists at the address specified with this mechanism (this mechanism has a special syntax)

Qualifiers

The behavior of each mechanism in an SPF record can be altered by a qualifier. A qualifier in an SPF record is a symbol placed at the front of a mechanism term that specifies what should happen on any one of the SPF conditions: match, not match, exception. There are four SPF qualifiers that can be used: +, -, ~, and ?. The table below describes each of the SPF qualifiers:

Qualifier Name Behavior
+ Pass The sender is designated as authorized by the domain. This is the default qualifier ans is implied when no qualifier is included.
- Fail The sender is designated as unauthorized by the domain.
~ SoftFail The sender is designated as unauthorized by the domain, but is in transition.
? Neutral Nothing can be said about the sender's authorization.

SPF Validation and Limits

While working with SPF records for your domain, it is important to keep in mind that there are limits you must adhere to. The two SPF record limits that are commonly missed are the 255 character limit and the 10 DNS lookups limit.

The maximum length of an SPF record is 255 characters. The SPF record can actually be longer than 255 characters if it is broken out into multiple SPF strings published as separate records.

Another limit you must be aware of with your SPF record is that there is a limit of 10 DNS lookups per SPF record per domain. Where most email administrators run into trouble with this limit is with recursive DNS lookups. The lookup count is increased by any DNS lookups your SPF record makes directly, as well as by any DNS lookups made by records you include in your record. This can cause your record to exceed 10 lookups rather quickly. This also means that you must monitor your SPF record for any changes made by domains you include in your record. If one of your vendors changes their SPF record, it could cause your SPF record to exceed the DNS lookup limit.

Checking your SPF regularly for changes in any of the referenced domains is important for keeping your email protected. Our SPF Validator is a free calculator that enables you to quickly evaluate the health of your SPF record, or check a record you plan to publish to ensure it is valid. You can monitor your SPF record by integrating the DNS Tools API into your own software.

SPF Checker

Validate the SPF records for a domain like 'example.com' or the syntax on a to-be-published SPF record.
SPF Lookup

Tool for looking up a domain's SPF record or validating an SPF record string

How to Set up SPF Records

Every domain is registered with a registrar that maintains a database of domains and their owners. Frequently, registrars offer DNS services to go along with your domain registration. Some organizations have a need to maintain their DNS services elsewhere, either on their own infrastructure, or using a third-party DNS provider.

To create or update your SPF record, you should first identify your DNS provider. If you don't know your DNS provider, you can identify it for your domain using NetworkCalc's DNS Tools. Enter your domain name, check of the NS record type, and look up your domain. The DNS records will list the name servers for your domain:

Example of name server lookup for networkcalc.com

Once you have identified your DNS provider, you can publish your SPF record. To publish an SPF record for your domain, confirm that the record is valid, then create a TXT-type DNS record with your DNS provider. Email services will look for this record when receiving emails from your domain to verify that an email has not been spoofed.


Subscribe for more articles like this.