SPF stands for "Sender Policy Framework." It is a special TXT record that is placed in the domain name zone and contains all the servers that are "allowed" to send mail for that domain name. TXT records can be used to include important information in a domain name zone, one of them is the SPF value, others are the DMARC values, verification strings (for SSL certificates, onboarding of M365) and so on.
SPF is a form of email authentication.
Consider how it works as follows: if a mail is sent via your domain name to, say, a gmail.com address, the receiving mail server will check via the SPF record whether the server that sent the mail (!) was allowed to send it.
If the server is in the list of "servers" in the SPF record, the mail will be allowed, if the server is not in this list, the mail will be refused by gmail.com or flagged as a SPAM message.
SPF records only work on the original sending address. Thus, they do not help against e-mail spoofing where the original from address will still be in the mail headers but the from: address in the e-mail client displays a different address.
A DMARC (Domain-based Message Authentication, Reporting and Conformance) record addresses this problem.
A simple DNS record can look like this:
nslookup -type=TXT domainname.be
This can return the following value:
domainname.be. IN TXT "v=spf1 a mx ip4:192.168.1.1 include:spf.provider.be -all"
The different components of an SPF record are as follows:
v: the version of the SPF protocol, spf1 in this case.
a: this specifies that the server set as origin may send mail for the domain name, this can be extended to a:<hostname> where the server with hostname may send mail for this domain.
mx: this specifies that the servers handling incoming mail may also send mail for the domain name.
ip4: for example, this is an IPv4 address of a server that is allowed to send mail for the domain name. There is also an ip6 variant, this is for IPv6 addresses.
include: this indicates to the SPF record that another record is included in the SPF record, in our example this means that spf.provider.be itself contains an SPF record with servers that are allowed to send mail for this domain.
all: the "all" value should always be at the end of the SPF record and gives the default value of how the record should "match" if none of the previous values match.
-all means that messages coming from a server that is not in the previous list of the SPF record will always be marked as an incorrect sender (spam).
+all means that any server can send for this domain name, so this is strongly discouraged!
~all is a so-called "softfail" and will tell the controlling mail server that the server that sent the mail may not have authorization to send the message. The message can possibly be labeled as spam.
?all is a neutral setting of the SPF record, it does not convey whether the server is authorized to send mail or not.
Those who want to learn about SPF, the full SPF specification can be found at https://datatracker.ietf.org/doc/rfc7208/
Setting up an SPF record can be simple but also complex. Especially when using multiple servers, mailing systems, cloud services, an SPF record can quickly become a cluttered list of servers that do not belong in it.
If you are not sure about the correct setting of your SPF record, ask one of the Kinamo specialists for help!
Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!