Simplify management and monitoring with NetworkCalc Pro

A network administrator's guide to SPF records

Print
Matthew Fisher - August 19, 2022

Cover image for article: A network administrator's guide to SPF records.
local_offer Domain Management
SPF records are used for validating domain ownership and email spoofing, but managing them can be tedious. Here are some of the best practices to manage your SPF records easily.

Sender Policy Frameworks (SPF) records are TXT records published on your domain's DNS server that allow email recipients to validate whether the sender is authorized to send email on behalf of the domain.

Maintaining SPF records can be tedious, so it's important to keep a few things in mind. In this guide, I'll explain the basic construction of SPF records and offer some SPF record management best practice tips.

What are SPF records used for?

SPF records are DNS records used for two purposes: to validate domain ownership and prevent email spoofing. They are published on public DNS services to specify the internal and external services that are authorized to send email on behalf of a domain.

SPF records are used for validating domain ownership and preventing email spoofing

SPF records are a great way to ensure that different services sending email from your domain are authorized to do so. SPF records allow administrators to specify which IP addresses and hostnames are authorized to send email on behalf of their domain.

When you receive email through an email service like Gmail, Yahoo, Mimecast, or Barracuda, SPF records published on the sending domain are evaluated to determine whether the sender is authorized to send email from the domain.

If an email arrives from a server hosted on the IP address 198.51.100.5 using the email address sender@example.com, the recipient server would evaluate the SPF record for example.com to determine whether 198.51.100.5 is an authorized sender for the example.com domain. If the SPF record for example.com is the one below:

v=spf1 mx ip4:192.0.2.0/24 -all

The sender's IP address in this example, 198.51.100.5, is not covered by the example.com's SPF record, so the SPF evaluation would result in a fail.

What are the rules for SPF records?

SPF records are published on a domain's public DNS service as TXT records. This allows recipient mail servers to look up the SPF record for the domain is receives messages from and evaluate the validity of the sender. When constructing SPF records, there are a few rules to be aware of, as defined in RFC 7208 - Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1.

SPF Versions

All SPF records begin with a specification of the SPF version being used. The current adopted version of SPF is version 1.

v=spf1

SPF evaluation and qualifiers

There are four qualifiers that can be used in an SPF record to specify how each entry in the record should be evaluated. Evaluating the SPF record results in a pass, fail, softfail, or neutral result if a match is found along side the qualifiers +, -, ~, or ?, respectively.

Qualifier Result if a match is found Definition of result
+ pass The sender is authorized to send from this domain
- fail The sender is not authorized to send from this domain
~ softfail The sender is probably not authorized to send from this domain
? neutral The sender might be authorized to send from this domain (no assertion is being made)

In addition to these SPF evaluation results, the following results can occur.

Result Definition of result
none A valid domain could not be extracted from the message or there was no SPF record published for this domain
temperror An error occurred (usually DNS) while validating. A later check may succeed
permerror The SPF record for this domain could not be evaluated

SPF mechanisms

Each entry in an SPF record uses SPF mechanisms to specify hosts that are either permitted or not permitted to send email on behalf of a domain. The SPF mechanisms are described below.

Mechanism Description Example
a Evaluation matches if the IP address of this domain and the sender are the same a:example.com
all When used as the rightmost mechanism, evaluation matches when no other mechanism matches. Use with the - qualifier to default to a fail result -all
exists Used to construct a dynamic domain name expression to match on arbitrary domain names exists:%{i}.spf.example.com
include Evaluation matches if a recursive check on the specified domain's returns at least one match include:spf.example.com
ip4 Evaluation matches if the sender's address is contained within the specified IPv4 network ip4:198.51.100.0/24
ip6 Evaluation matches if the sender's address is contained within the specified IPv6 network ip6:2001:DB8::/32
mx Evaluation matches if the sender's IP address is in the domain's Mail Exchanger records

Best practices for maintaining SPF records

Watch out for SPF record limits

To ensure email deliverability ,it is important that your SPF records be correctly constructed and error-free. The two most common errors administrators encounter with SPF records are the 255-character limit and the 10 DNS lookup limit.

SPF records are published as TXT records, but a single SPF record string must not exceed 255 characters per RFC 7208, Section 3.3. Keep your SPF records short and prefer including unchanging IP address blocks over long domain names.

warning
SPF Record Limit: 255 character record length

There is a 10 DNS lookup limit on SPF records and this applies recursively to DNS records included by reference. If your SPF record contains an include:spf.example.com mechanism, that requires at least one DNS lookup. If the record published at spf.example.com includes another record, for example spf2.example.com, then a recursive DNS lookup occurs. This quick quickly add up and cause you to exceed 10 lookups in your SPF record without your record changing.

warning
SPF Record Limit: 10 recursive DNS lookups

To get around these limitations, keep your SPF records short and prefer including unchanging IP address blocks over long domain names. Check your SPF record regularly to identify any changes in recursive DNS lookups that would cause you to exceed the 10 lookup limit. Most importantly, always validate your SPF record before publishing it to avoid running into issues with your email.

How to validate SPF record changes before publishing them

When validating your SPF record, it is important to consider the following:

  1. Does my SPF record follow all of the syntax rules for SPF records?
  2. Are all the mechanisms used in my SPF record correctly structured?
  3. Does my SPF record correctly authorize or fail to authorize certain email services?
  4. Is my record compliant with the 255-character lookup limit and the 10 DNS lookup limit?

NetworkCalc's SPF Lookup Tool can help validate your SPF records on a schedule or before you publish any changes. Try the tool below:

SPF Checker

Validate the SPF records for a domain like 'example.com' or the syntax on a to-be-published SPF record.
SPF Lookup

Use the SPF Lookup Tool to find SPF records published on your domain and check their validity against SPF record limits:

NetworkCalc SPF Lookup Tool

Before saving changes to your SPF record, it is a good idea to validate your new record. DNS records can take hours to propagate across the Internet, so it is good to catch issues before publishing them. Use the SPF Syntax Validator to check the validity of your SPF record updates before publishing them:

NetworkCalc SPF Syntax Validator

Summary

If you are sending emails from your domain using different services, SPF records provide a way to authenticate those services and let email clients know who is authorized to send email from your domain. Setting up SPF records can be tricky, though - there are limits on how long they can be (255 characters) and how many DNS lookups that can contain (10 recursive DNS lookups).

That's where NetworkCalc Pro comes in - we'll alert you when your SPF record is too long contains too many recursive DNS lookups, so you can fix the problem before your emails start getting blocked. We'll also send you scheduled daily, weekly, or monthly reports on the health of your domain so you can identify issues early and correct them. The reports also serve as a backup of your DNS records, giving you a history of your records before any changes were made.

check_circle
Never let your SPF record become invalid - use NetworkCalc Pro to get customized alerts for all your domains.


Subscribe for more articles like this.