Emails from your company are very important and delicate stuff. They are part of your image, the trustability clients have on you, and therefore, an attractive tool for criminals to get profit through phishing and other illegal activities. Suspicious use of them can be painful for a business and a reason to be banned.
SPF means Sender Policy Framework. This DNS record is in itself a system that validates legitimate emails. SPF record recognizes the mail servers allowed to send emails in your company’s name (domain). It enhances the trustability of your email server while preventing domain spoofing.
How does the SPF record works?
SPF record allows domain owners to build a public list of their approved senders (outgoing mail servers) together with their IPs. With this list, servers that receive mails can verify if the email comes from an allowed server to send on your business behalf. When the message comes from a server not established on the list, the receiving server will take it as fake.
Rephrasing this, receiving servers get the SPF record of the domain to check if the originating mail server’s IP is valid or not, meaning, approved or not to send emails on your domain’s behalf.
To validate the originating mail server, what SPF serves to check is not the from, but the return-path value. Return-path is a hidden email header for receiving servers to communicate sending mail servers about delivery issues. Return-path is also useful to validate senders’ identity.
Why should you have SPF records on your domain?
- Emails have a chance to be delivered even without having SPF records, but to increase it and have 100% proper deliverability, you definitely need them.
- It raises Internet service providers’ trust about your identity and purposes, so chances are higher for emails to arrive directly into the inbox instead of being considered spam.
- It reduces misdirected bounces (backscatter) risk. Spam’s common side effect is it produces wrong automated messages of bouncing that get sent by mail servers.
- Domains with SPF records are less attractive for criminals (phishers, spammers…) because fake emails can be trapped directly by spam filters. Once those filters look for the SPF record and realize they are forge emails, they will receive spam treatment.
- SPF needs to be combined with other authentication tools and protocols (DKIM, DMARC, etc.) to be totally effective. Having it in your domain is the beginning of a security shield to prevent abuse and enhance deliverability.
How does SPF look like?
It looks this way:
- Hostname: yourdomain.com
- Type: SPF
- Directing to: v=spf1 include:_spf.yourdomain.com~all
- TTL (Time To Live): 1 hour.
The “v=” points to the SPF version. The next words are called mechanisms. Actions are used to decide if a domain is allowed to send mail. And the last “~all” indicates that if those established mechanisms don’t match, the message must be rejected.
Let’s explore some common SPF’s actions.
+a – the host is authorize to send emails.
~all, in any case, matches, but if it is another server send to spam.
Mx – specify A or AAAA records for each MX record.
Ip4 – IPv4 address or range that will be use with the rules.
Ip6 – Pv6 address or range that will be use with the rules.
Mechanisms can be combined with qualifiers such as the following:
- – Minus is used for FAIL. Meaning the message must be rejected.
- ~ Tilde is used for SOFT FAIL. Usually, these messages are accepted but also tagged as fails.
- ? Question mark is used for NEUTRAL, which means no policy (none).
- + Plus is used for PASS. Accept the message.
Setting up SPF records for your domain helps you protect it from forge emails phishing your clients’ private data. And it also improves your emails’ chances to arrive in their natural safe-haven, clients’ inboxes.