SPF syntax has three elements- SPF Mechanisms, SPF Qualifiers, and SPF Modifiers. Together they instruct recipients’ mail servers how to handle emails coming from your domain, define their scope, and prevent phishing and spoofing attacks.
They contain information about which IP addresses (belonging to ip4-network and ip6-network ranges) or mail server groups are authorized to send emails on behalf of your organization.
Note that it’s recommended to use SPF in conjunction with DKIM and DMARC for the best delivery rate and protection from phishing.
SPF Mechanisms
The SPF syntax Mechanisms define the set of hosts that are considered designated mailers for the domain or subdomain. These are prefixed with one of the four SPF Qualifiers mentioned in the next section of this guide.
1. ALL
It’s used at the end of an SPF TXT record and instructs mail receivers’ servers about how they should deal with emails coming from your domain but failing SPF checks.
2. A
It indicates a domain name with an A or AAAA address record as a match and directs to the sender’s address.
3. Ip4
This SPF Mechanism tells that IP addresses listed in the SPF record belong to the ip4 network range. You have to use it with a prefix, and /32 is the default one.
4. Ip6
This SPF Mechanism tells that the IP addresses in the SPF record belong to the ip6 network range. In the case of no prefix-length, /128 is used by default.
5. MX
An MX Mechanism tag lets senders use the same IP address as the one added to the specified MX record. All the A records used for MX records are evaluated in the order of MX priority.
When an MX record belonging to a domain includes an IP address the same as the sender’s IP address, the sender is allowed to send emails using that domain name.
6. PTR
The PTR tag helps in looking for hostnames for client IPs. It’s mandatory for at least one of the A records to match the original client IP for a successful hostname validation. All invalid hostnames are discarded.
The use of the PTR Mechanism is not recommended as it’s slow, unreliable, and also causes more SPF DNS lookups that can result in a Permerror.
7. EXISTS
The Exists SPF record syntax does a DNS A record search for the domain provided. A successful match is achieved only if a valid A record is located and that’s independent of the lookup limit.
8. INCLUDE
The Include SPF record syntax lets you add ipv4 or ipv6 IP addresses of vendors who send emails on behalf of your organization or its sources. These are usually outsourced marketing or PR agencies. Sender authorization happens when its IP address is the same as the IP address or domain added to the SPF record. You’ll come across an SPF Permerror if you don’t add their IP address, and yet they send emails on your behalf.
Image sourced from www.caniphish.com
SPF Qualifiers
Each Mechanism can be grouped with one of the four SPF Qualifiers.
Qualifier | Result | Instructions for The Recipient’s Server |
+ | Pass | It’s not recommended to use this SPF Qualifier as it allows anyone on the internet to send emails on your behalf. It’s the default action taken when there’s no SPF Qualifier in an SPF record. |
– | Fail | In this case, the email message hasn’t come from a legitimate source, due to which it will get rejected by the recipient’s mailbox. |
~ | Softfail | The recipient’s server accepts the message failing SPF authentication checks, but it lands in the spam folder. |
? | Neutral | In this case, the email neither passes nor fails authentication checks since the SPF record doesn’t explicitly state whether the sender is authorized to send messages. Its use is highly discouraged. |
SPF Modifiers
The last leg of SPF syntax includes SPF Modifiers that are name or value pairs separated by an = symbol. They appear at the end of SPF records and represent additional information. Also, your SPF DNS record will show errors if a Modifier is used multiple times and all the unrecognized SPF Modifiers are ignored.
redirect Modifier
It points to other SPF records for processing and is used when you have to use the same SPF content over multiple SPF records generated for other domain names.
It’s used only when you control other domains as well; otherwise, an include Mechanism is used.
exp Modifier
You use it in an SPF record to provide an explanation in case of a – (fail) Qualifier is present on a Mechanism that is matched.
An SPF Record Generator Gets the Job Done in No Time
Not properly learning about SPF syntaxes and generating an SPF record manually can lead to an SPF Temperror or other configuration issues, especially if you are new at it. Instead, use an online automatic SPF record generating tool that produces a record from scratch, leaves no-to-minimum scope of problems, ensures a high deliverability rate, and offers protection from spoofers.