What is an SPF record?

What is an SPF record?

An SPF record, or Sender Protection Framework record, is a DNS entry that allows a receiving mail server to verify that the email was sent by the correct server.  An SPF record is read from left to right, with the aim being to get a pass or fail for the sending server IP.

In DNS the recored type can be SPF or TXT, with the SPF type taking precedence (but it is not as widely supported) If there is more than one SPF record found then a PermError will be returned and the receiving server should reject the email.  Similarly if there is more than one TXT record found that starts with v=spf1 then a PermError will also be returned.

What is the syntax of an SPF record?

Well the full syntax can be found at OpenSPF but taking the most often used components.

The mandatory start piece is v=spf1.  This is so that when there are multiple TXT records in DNS the SPF one can be picked out.

Multiple mechanisms can be specified:

  • a: Check the A record in DNS, and check to see if the sending IP address is among them
  • all: Matches any sending IP address
  • include: Lookup another SPF record
  • ip4: Check if the sending IP address is part of this
  • ip6: Check if the sending IP address is part of this
  • mx: Check the A records for the MX records in DNS, and check to see if the sending IP address is among them

Each mechanism can be prefixed with a single qualifier character with the default being +

  • – Fail, and the recommended action is to reject the message
  • + Pass, and the recommended action is to accept the message
  • ? Neutral, and the recommended action is to accept the message
  • ~ SoftFail, and the recommended action is to accept and mark the message

The ip4 and ip6 mechanisms can use a prefix length as a suffix to check for membership of a subnet instead of an explicit IP address.

The a and mx mechanisms can use a prefix length as a suffix as well as a domain name.  The prefix length suffix works the same as for ip4 and ip6, i.e. instead of using the IP address from the domain being checked it will expand this out to look in a larger subnet.  The domain name suffix can be used to use that instead of the sender domain name for the check.

What are common examples of SPF records?

v=spf1 mx -all

The servers that receive email for the sender’s domain are the same ones that send email to the Internet (and they use the same external IP address)

v=spf1 a -all

The IP address of the web server for the sender’s domain is also used for all outbound email

v=spf1 a/29 -all

The subnet of the web server for the sender’s domain also contains the IP addresses used for all outbound email

v=spf1 ip4:1.1.1.0/29 -all

The subnet 1.1.1.0/29 contains the IP addresses used for all outbound email

v=spf1 mx:contoso.com -all

The servers that receive email for the contoso.com domain are the same ones that send email to the Internet (and they use the same external IP address)

v=spf1 a:contoso.com -all

The IP address of the web server for the contoso.com domain is also used for all outbound email

What about SPF for an Office 365 hosted domain?

For Office 365 the email domain of the sender is used to get the SPF record from DNS.  e.g. if twan.vanbeers@neroblanco.co.uk sent an email to bob@here.com, then the mail server at here.com would look for a TXT record for neroblanco.co.uk.

> set type=txt
 > neroblanco.co.uk
 Non-authoritative answer:
 neroblanco.co.uk text =
"v=spf1 include:spf.protection.outlook.com -all"

So now what does this all mean…

v=spf1

Mandatory start to the record, it shows that this TXT record is an SPF record

include:spf.protection.outlook.com

Grab the SPF record from spf.protection.outlook.com and see if we pass that check.

-all

Fail the SPF check for any other servers not already passed

 

Ok so now we have an include so let’s expand the include

> spf.protection.outlook.com
Non-authoritative answer:
spf.protection.outlook.com text =
"v=spf1 ip4:207.46.101.128/26 ip4:207.46.108.0/25 ip4:207.46.100.0/24 ip4:207.46.163.0/24 ip4:65.55.169.0/24 ip4:157.55.133.0/25 ip4:157.56.110.0/23 ip4:157.55.234.0/24 ip4:213.199.154.0/24 ip4:213.199.180.0/24 include:spfa.protection.outlook.com -all"
> spfa.protection.outlook.com
Non-authoritative answer:
spfa.protection.outlook.com text =
"v=spf1 ip4:157.56.120.0/25 ip4:157.56.116.0/25 ip4:157.56.112.0/24 ip4:134.170.140.0/24 ip4:134.170.132.0/24 ip4:207.46.51.64/26 ip4:157.55.158.0/23 ip4:157.56.87.192/26 ip4:64.4.22.64/26 include:spfb.protection.outlook.com -all"
> spfb.protection.outlook.com
Non-authoritative answer:
spfb.protection.outlook.com text =
"v=spf1 ip6:2a01:111:f400::/48 ip4:23.103.128.0/19 ip4:23.103.198.0/23 ip4:65.55.88.0/24 ip4:104.47.0.0/17 ip4:23.103.200.0/21 ip4:23.103.208.0/21 ip4:23.103.191.0/24 ip4:216.32.180.0/23 ip4:40.107.0.0/16 -all"

Wow that is a lot of IP subnets!  Also that required 4 DNS lookups.  The maximum number of lookups in the RFC is defined as at most 10, however a number of mail servers don’t look up more than 6, so be careful with include!

What do you do if you need more than 6 lookups?

For example what if you use Office 365 for email and want to use MailChimp for bulk mail shots?

There are two options a simple one and a harder one

Option 1: Use a subdomain (the simple and safe option)

If you’re ok with using a subdomain for MailChimp then that would be better, as it is simple to implement and avoids the bulk email from causing problems with Office 365.

To do this you would set up a new subdomain in DNS, e.g. news.contoso.com and you’d set the records as prescribed by MailChimp.  If you wanted mail for this to route into your Office 365 (but not out of) then you would add the standard Office 365 MX record, and add the domain to Office 365.

Option 2: Combine SPF records (the harder and potentially dangerous one)

Combining SPF records seems simple.  i.e. to combine Office 365 and MailChimp you would think you could just put

“v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all”

However remember our limit of no more than 6 lookups?  Office 365 requires 3 and MailChimp requires 3 plus our original lookup to get our SPF makes 7…  Now what…

To resolve this you’d need to expand either Office 365 down to IP ranges, or MailChimp.  Now given that MailChimp says it only has two IP ranges, I’d choose MailChimp, which would make the SPF record

v=spf1 include:spf.protection.outlook.com ip4:205.201.128.0/20 ip4:198.2.128.0/18 -all

However if MailChimp did change their IP ranges then you’d need to update your SPF too, or risk mail being dropped.

 

I hope this helped explain what SPF records are for you!

 

 

 

Twan van Beers

Twan is a senior consultant with over 20 years of experience. He has a wide range of skills including Messaging, Active Directory, SQL, Networking and Firewalls. Twan loves to write scripts and get deep and dirty into debugging code, in order to understand and resolve the most complex of problems.

This Post Has 3 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Search