The convenience of emailing comes with a few downsides; one of them is getting compromised by cyber actors attempting phishing and spoofing attacks by impersonating you. This malicious act has the potential to ruin your sales funnel, misuse sensitive information, and uproot your business reputation.
That’s why the implementation of SPF, DKIM, and DMARC is on the rise. However, these protocols are a bit complicated to handle, and that’s why we have curated this guide on the most common SPF syntax issues found in SPF records and also suggested their resolutions.
Demystifying SPF Records
SPF records act as a set of instructions for recipients’ mail servers. It includes all the senders’ IP addresses (ipv4 and ipv6 range) and mail servers that are allowed to send emails on your behalf and actions to be taken against illegitimate messages sent from your domain.
Image sourced from apptivo.com
Any message’s IP address or mail server failing to match the SPF DNS record is considered unauthorized to send an email message from that domain or subdomain. The receiver’s mailbox marks such sending sources as suspicious and places them in the spam folder.
Here’s a simplified version of what’s involved in the SPF processing-
- A sender initiates an email to be sent from your official domain.
- The recipient’s email server receives the email.
- The recipient’s email server retrieves an SPF record linked to your domain from the DNS.
- As per the instructions laid out using SPF syntax, the recipient’s server accepts, rejects, or marks messages as suspicious.
What are the 10 Most Common Syntax Errors, and How to Fix them To Avoid Phishing?
Deploying SPF imparts its benefits only when there aren’t any errors in your SPF records. So, let’s see how can you sort them out.
1. Missing ‘v=spf1’
Every valid SPF record starts with v=spf1, where v is the version tag, and SPF1 is the version number. As of now, there’s only one SPF version. Forgetting to start your SPF record with is essential component is a very common oversight.
Resolution:
Always begin your SPF records with v=spf1.
Example:
- Incorrect: ‘include:_spf.example.com ~all’
- Correct: ‘v=spf1 include:_spf.example.com ~all’
2. Incorrect Syntax in Mechanisms
SPF mechanisms, such as “include,” “ip4,” and “a,” must follow the correct format. Mixing them up can result in SPF failures.
Resolution:
Ensure you use the proper syntax for mechanisms.
Example:
- Incorrect: v=spf1 include:_spf.example.com ip:192.138.1.1 -all
- Correct: v=spf1 include:_spf.example.com ip4:192.138.1.1 -all
3. Missing Spaces
While creating your domain’s SPF record, separate mechanisms and modifiers by spaces to avoid formatting issues.
Resolution:
Use spaces before every instance of mechanism and modifiers.
Example:
- Incorrect: ‘v=spf1include:_spf.example.com~all’
- Correct: ‘v=spf1 include:_spf.example.com ~all’
4. Invalid Qualifiers
This issue occurs due to the use of invalid qualifiers, i.e.- +all or ?all. Using them is a blunderous mistake as they allow anyone on the internet to send emails on your behalf.
Resolution:
Use -all (fail) or ~all (softfail) qualifier only. Hard fail directs to reject illegitimate emails while ~all instructs to mark them as suspicious in order to prevent a recipient from becoming victim to a phishing attack.
Example:
- Incorrect: ‘v=spf1 include:_spf.example.com +all’
- Correct: ‘v=spf1 include:_spf.example.com ~all’
5. Redundant ‘all’ Mechanism
You aren’t allowed to use more than a single ‘all’ mechanism at the end of your record. Redundancy causes confusion for recipients’ mail servers, triggering email delivery and authentication challenges.
Resolution:
Add only one ‘all’ mechanism at the end of your record
Example:
- Incorrect: ‘v=spf1 include:_spf.example.com ~all -all’
- Correct: ‘v=spf1 include:_spf.example.com ~all’
6. Exceeding the DNS Lookup Limit
To minimize the load on servers’ resources and avoid delayed deliveries, there’s a limit of a maximum of 10 DNS lookups per SPF record. Reaching this limit is relatively faster for companies with a large workforce and complicated email architecture.
Resolution:
Use ‘include’ mechanisms carefully and try SPF flattening to condense your SPF record, which reduces the need for DNS lookups.
Example:
- Incorrect: ‘v=spf1 include:_spf.example.com include:_spf2.example.com include:_spf3.example.com ~all’
- Correct: ‘v=spf1 include:_spf.example.com ~all’
7. Long SPF Records
Any SPF record with a length of more than 255 characters is erroneous. You need to sort out ways to shorten them.
Resolution:
Separate them into multiple strings using ‘include’ mechanisms and remove obsolete IP addresses.
Example:
- Incorrect: v=spf1 include:_spf.example.com include:_spf2.example.com include:_spf3.example.com … (too long) ~all
- Correct: v=spf1 include:_spf.example.com include:_spf2.example.com ~all
8. Missing PTR Records
It’s important to integrate corresponding PTR records if your SPF record includes the ‘-all’ tag. Failing to do so causes SPF failures, which means your domain is prone to a phishing attack.
Resolution:
Create PTR records for all sending servers or use “~all” instead of “-all.”
Example:
- Incorrect (without PTR records): v=spf1 include:_spf.example.com -all
- Correct (with PTR records): v=spf1 include:_spf.example.com -all
9. Unenclosed IPv6 Addresses
Don’t fail to enclose IPv6 addresses in square brackets. It’s another common formatting error.
Resolution:
Always enclose IPv6 addresses in square brackets.
Example:
- Incorrect: v=spf1 ip6:2001:0db8:85a3:0000:0000:8a2e:0370:7334 -all
- Correct: v=spf1 ip6:[2001:0db8:85a3:0000:0000:8a2e:0370:7334] -all
10. Missing SPF Record
There couldn’t be any other fundamental mistake than not creating an SPF record in the first place. You need to have an SPF record to start the SPF authentication process.
Resolution:
Use an online SPF record generator and create one for your domain. Make sure you avoid making any of the mistakes listed above.
Example:
- Incorrect: No SPF record
- Correct: v=spf1 include:_spf.example.com ~all
Summary
SPF helps improve email deliverability for domain names and subsequently boosts marketing efforts. SPF record syntax helps lay down rules or instructions for recipients’ servers on handling potentially malicious messages from your domain.
Any IP address outside of the ip4 and ip6-network range mentioned in the SPF TXT record is identified as unauthorized by the client. Domain owners need to be careful about the number of lookup results, prefix-length, string length, use of a modifier, instances of permerror, use of the mx mechanism, etc., for their domains.