What is SPF protocol?

SPF protocol (Sender Policy Framework) is perhaps one of the most important tools used in the fight against SPAM and junk mail. SPF is a DNS record of the domain of origin and verifies this domain. What to do regarding this is determined by the incoming mail server. Just like SMTP and HTTP, it is an open protocol.

Basically, the mail server that receives incoming mail compares the domain of the message’s email address with the list of hosts that are authorized to send messages from said domain, and based on the SPF, it makes decisions of whether to allow the email to enter the inbox, allow it to enter under certain circumstances, or block it.

Activating SPF protocol is not complicated. You simply need to access the DNS server and indicate how you want to use it, as well as define a series of modifying parameters (controlling how the email server responds when it receives email with SPF and if it validates it).

Sending a forged email, for example, from Gates@microsoft.com, is possible with some technical knowledge, but it will be rejected by servers that use SPF verification.

For this verification to be effective, a logical process must take place: the outgoing mail server must have a TXT record in its DNS server (that is, the SPF) and the incoming mail server must be able to verify it.

Having an SPF is recommended for email messages to be sent without experiencing any problems. To do this, you must contact your web master, hosting provider or simply speak with the IT staff at your company. They can configure your SPF record, which you need in order for your outgoing Mailready mail to be sent most effectively.

At this same time, you will reduce the risk of other mail servers identifying you as SPAM and you will improve the reputation of your outgoing mail.

Create or modify your SPF record

Don’t be scared–having a correct SPF record that is adapted to your needs will prevent forgery, mail servers will know that your mail is legitimate, and you will not run the risk of your emails being treated as SPAM.

One clarification: if you send SPAM, servers will place the IP address that you use to send messages on a black list. This is precisely what SPF is used for: to reward mail servers that are truly authorized to send messages and stop spammers and forgery in sent email messages.

It does not allow unwanted messages to be converted into legitimate messages, but it allows the SPAM score of your messages to go down.

Check if you have an SPF record

There are many ways to check if an email server sends messages with SPF. We are going to show several of these. This will help you get the most out of the emails you send.

From the Windows console

Click the Start button and in the Search Programs and Files field, enter cmd and press Enter.

To do a test, we are going to check Google’s SPF. This is done in the following way:

nslookup press Enter, then write set type=txt (press Enter) and then google.com (press the Enter key again).

You will receive an answer similar to this one:

google.com text = “v=spf1 include:_netblocks.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all”

SPF protocol, an ally in the fight against SPAM

Check it online

If you want to know if your SPF record has been created successfully, you can verify this on several different websites, such as kitterman.

http://www.kitterman.com/spf/validate.html.

To verify that the record has been created correctly, enter the name of your domain in the Domain Name field: and click Get SPF (if any).

SPF protocol, an ally in the fight against SPAM

Then, a window will open with the result of your search, similar to the window shown below.

SPF protocol, an ally in the fight against SPAM

Get to know your SPF for Mailrelay

Following the above example, if Google used our service Mailrelay to send its emails, its current SPF would also have to have our range of IP addresses to validate outgoing email sent from these addresses, specifically google.ip-zone.com (since the range we assign to each client looks like this: nombredesucuenta.ip-zone.com).

The end result would be:

google.com text = “v=spf1 include:google.ip-zone.com include:_netblocks.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all”

If your main domain were demo.es, the SPF record for your Mailrelay service would be (for example):

demo.es. 800 IN TXT “v=spf1 include:demo.ip-zone.com ip4:216.87.93.72/31 ~all”

Answers to your questions about SPF

- ¿Is having an SPF record convenient? The answer is clearly yes.

- What happens if I don’t create one? Will my outgoing mail function poorly? In theory, nothing will happen. But your outgoing mail will not be sent as effectively. It will work properly, but sent mail will not correctly enter the servers where the DNS of the domain of origin is verified.

- What will happen if I have an incorrect SPF record and I don’t change it? It is preferable not to have an SPF at all than to have it configured incorrectly. If a server verifies the DNS record of the domain of origin of your SPF and your SPF only references your old provider, you are explicitly de-authorizing your range of IPs for outgoing mail (you only authorize those indicated in your SPF).

- Can I authorize different providers and IP ranges at the same time? Yes. The important thing is to always have the range of IPs that you are currently using.

- Who can create the SPF for me? We firmly believe in the importance of SPF. For this reason, when we notice that a client does not have an SPF record created, we send them a personalized email to help them with their outgoing mail.

- How do I implement it? If you are not tech-savvy, you only need to tell your webmaster, hosting provider or IT staff that you would like to have an SPF. Creating one is a very easy task for them.

Specific SPF records

If we wanted to be purists about what an SPF really is, we would need to clarify what we have already said. In reality, we are not creating a pure SPF; we would be creating a TXT record that contains SPF syntax.

The reason for specifying this is that some DNS servers cannot correctly interpret a specific SPF record.

Any modern server can interpret a specific SPF, but the simple fact that there are still some servers out there that cannot interpret them means that what we call a “real SPF,” or a specific SPF, cannot fully expand. But this is also due to the fact that SPF records (those created within a type of TXT) function correctly, and it is easy to leave things that work well as is.

When an updated server is verifying the identity of a message, it checks both records (first the specific SPF and then the TXT). If there is a specific SPF, the second check of your DNS is not conducted, momento en el que específico el registro TXT. But since current servers have the ability and resources to do both checks, its use is somewhat residual. Perhaps in a few years, the use of specific SPF will be more widespread, but for the moment, the most common practice is the SPF record within a TXT record. If you want to deepen your knowledge on the use of specific SPFs, you can do so by reading the document published by the network Working Group.

SPF Modifiers:

v=spf1Version number: it never changes since there is only one.

a, mx, ptr e include Records: can include several.

+ y ~ Prefizes: + implies and ~if it is not specified.

exp Modifiers: There may be a maximum of three or maybe none.

all Affects all the IPs, both local and remote.

include Is a reference to the external domains authorized to be the issuers.

a All of the IPs under the DNS A record.

mx All the A records under each MX host record.

Ptr All the A records under the PTR host record.

ip4 The domains used by the IPv4.

exists Adds exceptions to domains.

redirect Uses the SPF records of the defined domain.

+ The address has passed the test (+all).

- The address has cancelled the test (-all).

~ The address has cancelled the test but the result is not definitive. In the case of uncertainty, it allows email to enter (~all) but it will likely be treated as SPAM if the range is not well defined.

? The sent email will arrive neutral; the rest of the commands do not

Subscribe to Mailrelay's newsletter