Skip to content. | Skip to navigation

Navigation

You are here: Home / Support / Guides / Tools / Email / SPF

Personal tools

SPF

Sender Policy Framework

SPF is a mechanism where the owner of a domain publishes (in the DNS) which hosts should be sending email on behalf of this domain and therefore any other hosts sending email on behalf of this domain are most likely to be illegitimate.

An SPF record is for the benefit of the recipient and it gives them more idea if the incoming mail is spam. It is created by the owner of the domain for the common good.

So, in the DNS for example.com I can publish a TXT resource record that says that only the hosts in the 192.0.2.0/24 network should be expected to be sending email on behalf of this domain:

v=spf1 ip4:192.0.2.0/24 -all

If any other host sends an email claiming to be from some.user@example.com then the email should be considered illegitimate.

Failings

SPF is let down by organisational failings. Some of which are easy to fix, some of which are hard.

Central Servers

If your organisation has road warriors or if you are particular to sending email from the local coffee shop then you don't know what your sending IP address will be and so it becomes hard to write an accurate SPF record.

You can fix that in two ways:

  1. You can make the SPF record soft fail by changing the -all to ~all (minus to tilde).

    An SPF softfail is as much use as the proverbial chocolate teapot as it is saying to the recipient, "meh, mail from this domain could have come from anywhere" and all you've really done is cause the recipient to shuffle pointlessly through DNS records.

  2. You can set up a central email service for your users which they have to log into to read and send mail. With all the email being sent from known hosts you can write a definitive SPF record.

    With a suitable web front end this makes your email service identical to the likes of Global Search Corp and Social Network Inc which isn't so hard for your users to cope with. You would hope.

Poor Implementation

SPF is still relatively new (in implementation terms) and it is surprisingly common to find legitimate organisations with broken SPF records which are syntactically invalid or semantically invalid, ie. have the wrong hosts listed.

That's much easier to fix with better system administrators!

Document Actions