What is SPF?

It’s not Sun Protection Factor, SPF stands for Sender Protection Framework. SPF is one of a collection of technologies used for authentication when sending email and is highly recommended for all email senders.

Why do we need SPF and Email Authentication?

Email authentication is necessary for email because, in the early days of email, there was a high degree of trust because there was a small pool of users and a high barrier of entry in the form of network access and skillset required to set up and maintain an email server. This meant that the SMTP protocol didn’t have any mechanism to validate that a given server was actually authorized to send the message it was trying to relay, and to this day it’s easy and straightforward to connect to any remote system and claim to be any given person:

[vps23468]$ telnet smtp.freesmtpservers.com 25
Connected to smtp.freesmtpservers.com.
Escape character is '^]'.
220 tools.wpoven.com Python SMTP 1.4.2
HELO fakeserver.amazon.com
250 tools.wpoven.com
MAIL FROM: jbezos@amazon.com
250 OK
RCPT TO: employee@amazon.com
250 OK
354 End data with .
From: Jeff
Subject: Please wire the funds for our new client

Please send $50,000 to MaliciousCorp Ltd.
250 OK

The remote server happily accepts this, because that’s how things used to work, and the SMTP standard changes very slowly. This has led to spoofing, phishing, and many other malicious problems.

The solution is to augment SMTP with additional layers of security, one of which is SPF. These authentication mechanisms make it clear to receiving servers which systems are and are not authorized to send mail on behalf of a given domain, making it possible for receivers to separate the real from the fake more easily, protecting not only the users but also the senders.

How Does SPF Work?

SPF allows a domain owner to publish a specially formatted TXT record in their DNS that specifies what hosts are authorized to send mail on behalf of that domain. When a receiving MTA is passed a message, it checks the domain of the return path of the message (the MAIL FROM command seen above), and looks up the SPF record for that domain (if one exists).

An SPF record looks like this:

"v=spf1 ip4: ip4: -all"

This record indicates a range of IPs, as well as one specific IP that are allowed to send mail on behalf of the domain, and excludes all other hosts from sending mail on behalf of the domain. If the IP address of the remote system does not match, the message cannot be trusted and should be either dropped or placed in the spam folder.

Do I Need an SPF Record?

Even if you do not consider your domain to be susceptible to spoofing or phishing, you should have an SPF record in place to help with your Deliverability. Because of the importance of preventing malicious sending, all of the major mailbox providers strongly recommend publishing SPF records and may treat messages from domains without SPF records as more suspicious because the mail cannot be authenticated properly.

Authentication is like showing an ID: it proves that you are who you claim to be, but it doesn’t prove that you are trustworthy. That means that using SPF isn’t some magic bullet that will guarantee access to the inbox, but gives the mailbox providers a reliable identifier to track your reputation over time, and it’s that solid positive reputation that keeps your messages from ending up in the spam folder.

How Do I Set Up an SPF Record?

It depends on how you send your mail. If you are setting up sending for your own mail, and use a mailbox hosting service, they will have instructions you can follow to configure the SPF record properly. If you use your own mail server, you will need to know the IP address of the server. If you use a combination of systems, you will need to combine the instructions of each into a single record.

It’s easiest to use a tool for generating your records, such as the one provided by MXToolbox. Regardless of how your record is assembled, the steps to add it to your DNS records will vary depending on how you manage DNS.

More Reading

Leave a Reply

Your email address will not be published. Required fields are marked *