The Meaning of SPF (Sender Policy Framework)
Sender Policy Framework (SPF) is a validation system that allows ISPs and mail servers to check if the incoming mail has been sent from an authorized server. By using the IP address of the sending server and the DNS records of your domain, ISPs can check if the sending server is authorized. If email is coming from an unauthorized sender, the emails will be marked as spam or moved to junk.
How does SPF work
Connection over the Internet use DNS (Domain Name System) to resolve Domain Name to the IP (Ipv4) Address . Each domain should contain MX (Mail Exchanger) in domain’s DNS Zone Record file.Th purposes of MX Record is to inform the sender email server where is the target mail server location.
SPF Job is to publish the reverse MX DNS records of the mail server , in other words SPF is like broadcasting information about the source mail server that send the mail from the domain,then the recipient mail server can check theses “published record by SPF” to insure that the incoming e-mail is coming from trusted sender or trusted domain.
SPF operates at the level of the SMTP transaction, and requires these information:
- The MAIL FROM: parameter of the incoming mail
- The HELO or EHLO parameter of the sending SMTP server (used for Mailer-Deamon bounces which send a blank MAIL FROM)
- The IP address of the sending SMTP server
SPF Record Syntax Example
lets try to explain the simple SPF record for domain exampledomain.com
The parts of the SPF record mean the following:
|v=spf1||SPF version 1|
|mx||the incoming mail servers (MXes) of the domain are authorized to also send mail for exampledomain.com|
|a:ex1.exampledomain.com||the machine ex1.exampledomain.com is authorized, too|
|-all||all other machines are not authorized ,”-” Mechanism meaning Fail|
The bellow are an overview of SPF mechanism syntax may include in the SPF record:
- “+” Pass : The SPF record designates the host to be allowed to send , The Actions is accept
- “-” Fail: The SPF record has designated the host as NOT being allowed to send, Intended Action :reject
- “~” SoftFail:The SPF record has designated the host as NOT being allowed to send but is in transition , Intended Action :accept but mark
- “?” Neutral:The SPF record specifies explicitly that nothing can be said about validity , Intended Action :accept
- “all” mechanism:This mechanism always matches. It usually located at the end of the SPF record.
- “ip4” mechanism:An IPv4 network range. If no prefix-length is given, /32 is default.
- “ip6″ mechanism:An IPv6 network range. If no prefix-length is given, /128 is default
- “a” mechanism:All the A records for domain are tested. If the client IP is found among them, this mechanism matches.
- “mx” mechanism:All the A records for all the MX records for domain are tested in order of MX priority.
- “ptr” mechanis:The hostname or hostnames for the client IP are looked up using PTR queries.
- “exists” mechanism:Perform an A query on the provided domain. If a result is found, this constitutes a match. It doesn’t matter what the lookup result is
- “include” mechanism:The specified domain is searched for a match. If the lookup does not return a match or an error, processing proceeds to the next directive.
- “exp” modifier:If an SMTP receiver rejects a message, it can include an explanation.