Twice in the last week I have had my engineers ask me this so thought I would create this post and send them the link 🙂

General SPF Info

In Summary a Mail server checks to see if the incoming Email has originated from a location authorized by the domain owner to handle its email. If the SPF record does not contain the approval for the originating email then the email may be rejected

You can check to see if your emails are handled by using online tools like this one:

http://www.kitterman.com/spf/validate.html

We use MessageLabs alot for Inbound/Outbound email scanning so in scenario which applies to 90% of our customers we would set the SPF record so that it contains the publi IP address of the sending server and the messagelabs SPF. The reason for this is just incase we route some email directly we want to make sure the global IP is listed in the SPF record.

If our Public IP was 81.81.81.81 for example then we would set the SPF record like so:

v=spf1 ip4:81.81.81.81 include:spf.messagelabs.com ~all

Breakdown:

V=spf1 identifies the record as an SPF record.

IP4: iPv4 ip address that can send mail from the domain (e.g. 81.81.81.81)

Include: tells the server querying the domain to include and spf records set up on another domain (in this case spf.messagelabs.com).

~all means they are fairly certain that that is a complete list of all sending servers for that domain.

This can also be replaced with –all for reject any messages from anywhere else, or:

?all for there may be other legitimate servers.

You can also include multiple other domains by using this example:

v=spf1 ip4:81.81.81.81 include:spf.messagelabs.com include:spf.domain.com ~all

There are other options for example:

v=spf1 mx -all

This means any MX host for your domain is allowed to send email

You can query an SPF record by going into NSLOOKUP, setting the query type to txt and querying the domain.

Difference between ~all and -all?

~all is a soft fail so any email not on the SPF list “might” be spoofed (treat as suspicious)

-all is a hard fail which means any email NOT on the SPF record will be rejected.

Tools for Creating SPF Records:

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

Tools for Checking SPF Records

http://www.kitterman.com/spf/validate.html

More Information

http://www.openspf.org/SPF_Record_Syntax
http://www.openspf.org/

Leave a Reply

Your email address will not be published. Required fields are marked *