Overview
In this post, we’ll take a look at what SPF records are and how to create a basic SPF record that is what most messaging infrastructures require.
When people worked out they can send email from other people’s email addresses (spoofing) using other SMTP servers and tools like bmail, Send-MailMessage or others, SPF was invented to prevent this. This is in addition to reverse DNS.
SPF stands for Sender Policy Framework and it is configured by the owner of the sending domain as a TXT record in DNS.
Basic SPF Record
To work out what your SPF record should include, the basics are that it should include all public IPs that are configured to send email using your domain name. For example, we are sending email from contoso.com and are using the below IPs and the MX records for the contoso.com domain to send email:
- 195.168.0.1
- 195.168.0.2
- 192.168.1.0/28
We also want to ensure that email from any other IP is prohibited.
Step 1: Specify your SPF version number
The first section is the SPF record version number. This should be version 1 currently. Our SPF record therefore starts with this:
v=spf1
Step 2: Configure permitted senders
To add the list of IPs and MX records to your SPF record as permitted senders, our SPF record now looks like this:
v=spf1 ip4:195.168.0.1 ip4:195.168.0.2 ip4:195.168.1.0/28 mx
If we were only sending from the same IPs as your MX records then we don’t need to include any ip4 entries and can just use this:
v=spf1 mx
Step 3: Specify action
We then need to specify what the recipient does with a message that is sent from an IP that’s not listed in the SPF record. We can choose from the below options:
We want to prohibit all senders that are not on our SPF record so we add -all to the end of the record. Therefore our completed SPF record is below:
v=spf1 ip4:195.168.0.1 ip4:195.168.0.2 ip4:195.168.1.0/28 mx -all
Step 4: Publish the SPF record
The SPF record is held in a TXT record that needs to be added to our contoso.com public DNS zone. If we were using split DNS then we should add this TXT record to the DNS zones on our internal DNS servers also in case our SMTP relays are using these internal DNS servers for SPF record lookups.
Step 5: Confirm the SPF record exists
Once this is done, we can check that it exists by using nslookup. We need to specify the query type as TXT then type in the SMTP domain:
Conclusion
Now we are able to create basic SPF records for our domains, we can move on to understanding advanced SPF records which is useful when troubleshooting bouncebacks. See part 2.