These days, hackers are getting highly sophisticated with their techniques which has resulted in a higher frequency of successful cyberattacks, including phishing and spoofing. SPF, DKIM, and DMARC are three email authentication protocols that avert hackers from sending fraudulent emails in the name of legitimate businesses.
As per the FBI’s 2022-IC3 annual report, 300,497 incidents from US-based victims of phishing attacks were registered. On top of it, BEC- a type of email-based phishing attack, costed victims more than $2.7 billion in loss. Statistics like these make it even more vital to explore what are SPF, DKIM, and DMARC. Therefore, we’ve curated this sorted guide on SPF and its history, usage, syntax, limitations, etc. Please keep reading to know more!
What is SPF, and What does it do for Emails?
Firstly, let’s know what is SPF’s definition.
Well, SPF stands for Sender Policy Framework. It’s an email authentication protocol that allows only authorized senders to send emails on behalf of your company’s official domain. Emails sent from unauthorized or illegitimate senders undergo SPF soft fail or SPF hard fail, depending on what you have mentioned in your SPF record. The following sections will explain more explicitly about these failure types.
SPF averts phishing and spoofing attempts made in your brand’s name by not delivering or highlighting malicious emails sent from your domain. These emails ask recipients to share sensitive information like financial details, OTPs, login credentials, social security numbers, medical reports, etc., or trick them into making financial transactions to attackers’ accounts.
SPF deployment also improves email deliverability rate and domain reputation by evidently convincing other serves and blocklist sites that you’re committed to email security.
SPF History and Current State
SPF was first mentioned in 2000 but was overlooked. Later, in 2002, an SPF-like concept was published by Dana Valerie Reese, who wasn’t aware of its earlier mention. An American computer scientist, Paul Vixie, posted his SPF-like concept on the same list as Dana. These posts gained the limelight overnight and led to the formation of the IETF Anti-Spam Research Group (ASRG). In the next six months, many developments were made in the protocol. Initially, SPF stood for Sender Permitted From, which was changed to Sender Policy Framework in February 2004.
In 2005, IESG approved the then-best version of SPF and invited the community to observe SPF during the two years following publication. On April 28, 2006, the SPF RFC was published as experimental RFC 4408.
In April 2014, IETF announced and published its proposed standard, which is the current state.
How Does SPF Work?
SPF lets a domain owner create a list specifying which IP addresses are allowed to send emails with envelope-from addresses in that domain using a DNS record. This helps recipients’ servers filter fake and genuine emails. Recipients’ servers may also outrightly reject unauthorized and untrusted emails before receiving the message body. The operational principles of SPF are similar to that of DNS-based blackhole lists or DNSBL.
The envelope-from address transmits at the beginning of the SMTP dialog box, and the sender receives a rejection message. However, the sender receives a bounce message to the original envelope-from address if they relay MTA or message transfer agent.
What Happens if SPF Fails?
SPF failure happens if the sender’s IP address isn’t found in the SPF record published on the DNS. You can set either of the failure types; SPF softfail or SPF hardfail.
SPF softfail says that the sender’s IP address is probably not authorized to send emails. You can set your record to softfail by adding an ~all mechanism. Your record will look something like this-
v=spf1 include:spf.example.outlook.com ~all
SPF hardfail says that the sender’s IP address is explicitly not authorized to send emails. You can set your record to hardfail by adding an -all mechanism. Your record will look something like this-
v=spf1 include:spf.example.outlook.com -all
What is DNS?
DNS is short for Domain Name System and is responsible for translating domain names to their corresponding IP addresses. This eliminates the need for humans to memorize the complicated alphanumeric IP addresses of so many websites. You can think of it as a phonebook that eliminates the need for you to memorize phone numbers.
What is an SPF Record?
An SPF record is a TXT record that enlists all the servers authorized to send emails using your company’s official domain. You can perceive it as a guest list managed by a door attendant who only lets in people whose names are mentioned in the list. Just like any person outside of the guest list won’t get an entry, emails from senders outside of the SPF record would be marked as spam or rejected outrightly.
How Does an Email Server Checks an SPF Record?
Return-path address is different from the “from” address and helps collect and process bounced emails. The recipient’s mail server looks for the return-path domain and searches for its SPF record. Once the SPF record is found, it checks if the IP sender’s IP address is enlisted in the SPF record. If yes, authentication passes; if not, authenticates fails.
How to Generate an SPF Record?
You can build your SPF record in 4 steps and comply with the email authentication drill.
STEP 1: Make a List of IP Addresses
Create an extensive list of all the IP addresses you trust and are allowed to send emails using your domain name. This should also include IP servers of any third-party vendors permitted to send emails on your behalf.
STEP 2: Create Your SPF Record
Use an online SPF record generating tool to make the job easy for you. You can configure SPF authentication for your domain by publishing it.
STEP 3: Publish Your SPF Record Into Your DNS
Once you’re done creating an SPF record for your domain, you need to add it to your domain’s DNS. A DNS manager publishes it; now, this could be an internally positioned entity, or you can request your DNS provider to do it.
STEP 4: Test Your SPF Record
Use online SPF record-checking tools to ensure your SPF record is non-erroneous and has proper configurations for the best protection against phishers and spammers.
SPF Record Basic Syntax
Let’s understand what is an SPF record’s basic syntax using the following example-
v=spf1 ip4=126.96.36.199 ip4=188.8.131.52 include:examplesender.net -all
- v= spf1 indicates that it’s an SPF record, and every valid SPF record has to start with it.
- Next are the IP addresses allowed to send emails using the particular domain. Here ip4=184.108.40.206 and ip4=220.127.116.11 are included.
- The ‘include:examplesender.net’ indicates third parties are allowed to send emails. You can add several domains within an SPF record.
- -all specifies hardfail, which means that recipients’ mailboxes should reject the entry of all emails sent from our domain that fail authentication checks.
SPF Record Advance Syntax
All SPF records are based on specific terms that work as rules for which hosts can send emails from a particular domain or show extra details. There are three categories of SPF record syntax; SPF Mechanisms, SPF Qualifiers, and SPF Modifiers.
Mechanisms are used to direct receiving servers on how they should deal with emails.
- ALL: It always matches and has to be the last mechanism. Any mechanism followed by this is ignored.
- A: A mechanism is used when queries for A or AAAA records are generated in a domain with a sender’s IP address. The current domain is employed when DNS SPF record syntax has unclear instructions.
- Ip4: You see a positive match when the sender is linked to the specified ipv4 address range. The ip4 mechanism is used with a prefix representing a range’s length, and /32 is used by default if there’s no predefined prefix.
- Ip6: A match is positive when the sender belongs to the ipv6 address range. You use it with an ip4 directive and a specific range length. /128 is used by default if there’s no predefined prefix.
- MX: It authorizes senders to have the same IP addresses as the ones listed in the MX record. MX records consist of an IP address and a priority value for each server meant to accept messages.
- PTR: The PTR Mechanism authorizes domain using PTR records that resolves IP addresses to their corresponding subdomains. It works opposite to a DNS record. Its use is discouraged as it’s slow, unreliable, and requires too many DNS lookups, which cause SPF Permerror errors.
- EXISTS: It executes a DNS A record search for the domain provided. A match is successful if a valid A record is located, regardless of the actual lookup result.
- INCLUDE: The ‘Include’ Mechanism officially authorizes third-party email senders by specifying their domains. This happens when its IP address matches the one included in the list. A permanent error occurs if no SPF record is located for the listed third-party domain.
It’s an optional mechanism that tells receiving mail servers how to treat an email when there’s a match with a Mechanism value. There are 4 Qualifiers:
|Qualifier||Result||Action Taken by Receiving Server With a Match|
|+||Pass||Emails successfully pass SPF authentication checks, and the server is allowed to send emails. Messages are authenticated; this is the default action taken when no Qualifier exists.|
|–||Fail||Emails fail SPF authentication checks, and the server is not allowed to send emails. In this case, failed emails are rejected outrightly.|
|~||SoftFail||The mailbox receives the message but isn’t shown in the primary inbox. It lands in the spam folder instead.|
|?||Neutral||Emails neither pass nor fail because the DNS SPF record doesn’t clearly state whether the IP address is authorized. It means no match was found for the sender when checked against your authorized IP address or domain name.|
SPF Modifiers’ responsibility is to decide the parameters of a DNS SPF record syntax. They have a name or value pair separated by the ‘=’ symbol that displays additional information like exceptions to rules or changing some defaults.
SPF Modifiers appear once and only at the end of an SPF record. All unrecognized modifiers are ignored. The ‘redirect’ Modifier is used if domain owners require having the same SPF record content for multiple records. The ‘exp’ Modifier tells why the receiving server returned a Fail SPF Qualifier despite a mechanism match.
Limitations of SPF
There are two major limitations of SPF that make it a bit complicated to deploy:
The Human-Readable From Address
SPF protocol is applied to specific Return-Path domains but not the From address. Most recipients don’t pay attention to the Return-Path address and only focus on the From address, which gives threat actors the advantage to attempt a cyberattack.
The SPF 10 Lookup Limit
The DNS server’s validator resources like bandwidth, time, CPU, and memory are consumed on every query. To avoid overload on the validator, a limit of 10 DNS lookups is imposed. So, once you reach the limit, the email rejects SPF validation with a Permerror error.
You can reduce the number of required lookups and stay within the limit by removing unused services, the PTR mechanism, and the mx mechanism and using IPv6 or IPv4.
However, you might still fail to stay within the 10 SPF lookup limit. This is where AutoSPF’s automatic SPF record flattening service comes to use. It works by replacing all the domains with their IP addresses, eliminating the need for DNS lookups.
We know manual flattening demands regular monitoring; that’s why we at AutoSPF do all the job for you.
Sender Policy Framework is an email authentication protocol that allows only authorized entities to send emails on behalf of your company’s official domain. It works based on an SPF record that can be generated by creating an extensive list of IP addresses allowed to send emails on your behalf, followed by using a tool to make the record. Once created, you need to add it to your domain’s DNS so that recipients’ servers can perform authorization checks.
SPF has two primary limitations: the human-readable From address and the 10 SPF lookup limit. However, you can invest in our automatic flattening service if you are unable to stay within the limit.