SPF (Sender Policy Framework)
Posted by Joe Rebis (Import) on 16 October 2006 07:06 PM
Sender Policy Framework, or SPF for short, is an anti-spam technique. It tells other mail servers that mail from your domain SHOULD be originating from these specific mail servers (your mail servers) in your SPF record which is recorded in your DNS server. If spam is sent using your domain (easy thing to do), the receiving mail server will check your DNS records to ensure that the sending mail server is listed as an authorized mail server in the SPF record. If so, the message is allowed. Otherwise, it is tagged and filtered as spam. An SPF record is created as a special TXT record in your DNS Zone (DNS Manager). See: Control Panel >> Domains >> Click Your Domain >> DNS Manager
e.g. Typical SPF Record for EPhost Customer's Domains
"v=spf1 a mx ip4:220.127.116.11/23 a:websitecontrols.com/23 ?all"
We provide a basic "loose" SPF record for your domain which is setup to allow all of our mail servers to send mail for your domain AND declare "neutral" regarding other servers sending mail on your behalf. This is done because most email providers now require a SPF record, but since it is not possible for us update your SPF record with all of the mail servers you may be using to send email, the SPF record also allows other mail servers to send email for you. e.g. Some ISP's require you send email through them.
It is your responsibility to OPTIONALLY tighten your SPF record.
Note, the last portion of the SPF record above that says "?ALL". This indicates we are not saying either way if someone else can send email on your behalf. This makes the SPF record less effective because we are not making a definitive statement that it can or cannot send mail for you. Ideally it would say (-ALL) or basically only the mail servers listed can send mail on your behalf.
(+All): Anyone can send email on your behalf and you don't really care about SPF.
(-ALL): No other mail servers can send email on your behalf other that the ones listed in the SPF record.
(~ALL): It is questionable, if the mail server sending the mail is an authorized mail server for the domain.
(?ALL): No statement is being made, either way, if a the mail server sending the mail is an authorized mail server for the domain.
Receiving mail servers are will attempt to score incoming mail to determine if it's spam using the SPF record. Does the IP address of the sending mail server MATCH the authorized mail servers in the SPF record for that domain?
Pass/Match: Any mail server sending the mail is an authorized mail server for the domain sending the mail. In other words, anyone can send email on your behalf and you don't really care about SPF.
Fail/No Match: The mail server sending the mail is not an authorized mail server for the domain sending the mail. No other mail servers can send email on your behalf other that the ones listed.
Soft Fail: It is questionable, if the mail server sending the mail is an authorized mail server for the domain.
Neutral: No statement is being made, either way, if a the mail server sending the mail is an authorized mail server for the domain.
To be most effective, the SPF record should contain the specific mail servers that will be sending mail among other things. This poses a problem for web hosting providers because people send mail many ways. E.g. Our mail servers, your ISP's, or even Blackberry. It is impossible for the hosting provider to maintain a list for each and every USER within a domain. One domain could literally have 10 or more mail servers that are used to send its mail.
While completely optional, if you would like to "tighten" your SPF record you will need to edit your SPF record using the DNS Manager in the Control Panel (see above). You can do this by adding all the possible sending mail servers for your users. COX and SBC/Yahoo! users should pay close attention as you are usually required to send mail via your ISP. This means for your SPF record to be most effective, your outgoing mail server for your ISP should also be listed. You will need to do this for EVERY mail server.
e.g. A Tightened SPF Record
(DO NOT USE UNLESS YOU KNOW WHAT YOU ARE DOING)
"v=spf1 a mx ip4:18.104.22.168/23 a:websitecontrols.com/23 mx:smtp.cox.west.net -all"
Note the bold sections above. We are saying that in addition to EPhost's Network, "smtp.west.cox.net" is also allowed to send mail for your domain. The "-ALL" is saying that only the servers listed in the SPF record may send email for your domain.
If you would like to learn more about SPF, please see one of the sites listed below. Once you have created your SPF record, which is about a sentence long, you will need to re-create your SPF record using a TXT (text) based DNS entry using the DNS Manager in your control panel.
Also See KB Article: DNS Manager
Wikipedia (Detailed Definition):
Open-SPF (Creating Wizard):
Microsoft (Setup SPF for Office365):
DNS Stuff (Testing):