Although you do not need an SPF record on your DNS server to evaluate incoming email against SPF policies published on other DNS servers, the best practice is to set up an SPF record on your DNS server. Setting up an SPF record lets other email servers use SPF filtering (if the feature is available on the mail server) to protect against incoming email from forged (spoofed) email addresses that may be associated with your mail server. As SPF records are implemented more widely, SPF filtering will become more effective at identifying spoofed email messages.
SPF records, like MX, A, and PTR records, are included at the DNS domain tree level. These records identify authorized SMTP servers for each domain.
An SPF record consists of the SPF version number followed by strings comprised of mechanisms, prefixes, and modifiers. SPF clients ignore TXT records that do not start with the version string v=spf1.
SPF records are evaluated in a two pass process. First, all mechanisms and prefixes are evaluated, then all modifiers are evaluated. Mechanisms are evaluated from left to right. Modifiers are evaluated on the second pass and can occur anywhere in the record. A generic SPF record takes the format of:
version ([prefix] mechanisms) (modifiers)
SPF Parameters |
Description |
v=spf1 |
SPF version number |
all, include, a, mx, ptr, ip4, and exists |
Mechanisms. Use one or more in a record string. |
"+", "-", "~", and "?" |
Prefixes. Precede mechanisms. If a prefix is not included, "+" is implied. |
exp |
Modifiers. Use 0 - 2 in a record string. |
An example SPF record is:
v=spf1 +a:mail.domain.com /16 +mx +ptr include:anotherdomain.com redirect=exampleredirect.com exp=spf-error -all
This SPF record includes three directives made up of prefixes and mechanisms:
+a:mail.domain.com/16
+mx
+ptr
-all
and two modifiers:
include:anotherdomain.com
exp=spf-error
Mechanisms identify IP addresses that are authorized to send email from a specified domain. You can use zero or more mechanisms in an SPF record string. Mechanisms usually contain ":" or "/" characters and are case-sensitive. Directives that do not contain "=", ":", or "/" are also mechanisms. Following are mechanism descriptions:
SPF Mechanisms |
Description |
all |
Matches all local and remote IPs and goes to the end of the SPF record. Example: |
include |
Specifies other domains that are authorized domains. Example: |
a |
Specifies all IPs in the DNS A record. Example: v=spf1 a:domain.com -all |
mx |
Specifies all A records for each host's MX record. Example: |
ptr |
Specifies all A records for each host's PTR record. Example: |
ip4 |
Specifies a single IP or an acceptable IP address range. /32 is assumed if no prefix-length is included. Example: |
exists |
Specifies one or more domains normally singled out as exceptions to the SPF definitions. An A query is performed on the provided domain, if a result is found a match occurs. Example: |
Prefixes designate whether IP addresses pass or fail the SPF lookup test:
SPF Prefixes |
Description |
+ |
Pass. The address passed the test. Example: |
- |
Fail. The address failed the test. Example: |
~ |
Softfail. The address failed the test, but the result is not definitive. Example: |
? |
Neutral. The address did not pass or fail the test. Example: |
Modifiers provide additional SPF query information and can branch SPF processing. They always contain an "=" character and are case-sensitive. SPF includes two possible modifiers; each can be used once:
SPF Modifiers |
Description |
redirect |
Sends inquiry to another domain. Example: redirect=exampleredirect.com |
exp |
Sets up an explanation in the SPF record. If an SPF query produces a FAIL result, the explanation is queried and the explanation string provides more information to the nonconforming user. The explanation is typically placed in an SPF log. Example: |
For more information about SPF, go to the SPF community at http://spf.pobox.com.
Related Topics
Setting Sender Policy Framework (SPF) Options