SPF: Its Functionality and How To Use It On Your Server - Setting Up an SPF Record
(Page 3 of 4 )
SPF records are kept in the DNS listing for a domain. Since the domain name servers are retrieved from the Top-Level-Domain servers, you are guaranteed that the listing is the correct, authorized record for a domain. Directly, the record is saved in a TXT DNS record. A TXT record allows for publishing extra, unclassified data on the DNS system. This TXT record follows a specific syntax that allows for a server to look-up all of the DNS TXT records for a certain domain and discern the correct one that holds the SPF information.
These records generally point to a specific DNS record that points to the DNS records for the servers authorized to send mail. For a simple domain set-up, you can simply state that the A or MX records contain the correct information, and leave it at that. However, the SPF framework allows for more complex records to allow easier administration of multiple domains. In this vein, it is possible to set up SPF records to simply point to the record for a different domain. This allows an administrator who works on many domains to only edit one actual SPF record and have those changes affect the authorized servers for multiple domains. In an ISP situation, or a company with multiple domains, this could be particularly useful. If there is one dedicated email server that handles email for many different domains, it could be very useful to need to change only one SPF record.
In addition, if there is an email server which sends mail but doesn’t have an MX or A record in DNS, it is possible to specify IP addresses which are authorized to send mail.
The actual syntax of an SPF record has the following structure. The first element in the TXT record field must give the version specification of SPF that the record uses. The current version of SPF is simply SPF1. After this you can specify with a simple “a” or “mx” to allow the servers delineated by those records in your DNS. That means the servers specified in your DNS record with “A” and “MX” references are also allowed to send email for your server. If there are specific additional IP addresses that send email, they get added with the “ip4:” or “ip6:” mechanism. Simply follow the “:” with the CIDR IP address you want included (CIDR means the IP address followed by the number of bits in the subnet mask e.g. 192.0.2.0/24). You can also use the “include:” to specify other domains SPF records to be included as authorized senders for your domain. For instance, if you sometimes send email through an ISP or work server, you may want to add their domains in an “include:” record. Finally, you should end with either a “-all” or “~all”. “-all” specifically fails all mail coming from IP addresses not specified in the SPF record and means receiving servers should not accept it. “~all” means to “softfail” all mail coming from unauthorized IP addresses. This means the domain owner is not willing to truly fail all mail coming from other IP’s, but that mail should be subjected to closer examination or flagged as possibly bad.
Some example records might look like:
atlantisvalley.com IN TXT “v=spf1 a mx –all”
atlantisvalley.com IN TXT “v=spf1 a mx include:mydomain.com ~all”
atlantisvalley.com IN TXT “v=spf1 redirect:mydomain.com -all”
The redirect record here tells anyone looking up this SPF record to use the record for “mydomain.com” as the SPF record for atlantisvalley.com.
More Web Hosting Articles Articles
More By Michael Swanson