Configuring SPF

Introduction

SPF (Sender Policy Framework) is a method for preventing the forgery of sender addresses. SPF allows mail servers to verify whether an incoming email from your domain originates from a host authorized by the domain administrator.


Prerequisites

  • Access to the domain’s DNS zone



Setting the SPF Record


For general information on setting DNS records, see the article DNS Records.


The SPF record determines which IP addresses are authorized to send emails on behalf of your domain.

The following SPF record for the domain example.com allows the IPv4 addresses associated with its A record, the IPv6 addresses associated with its AAAA record, and the IP addresses resolved from the MX record to send emails on behalf of the domain example.com. The -all specifies that no one else is permitted to send emails.


Host

example.com

RR Type

TXT

Value

v=spf1 a mx -all;



Mechanisms


SPF also supports the following mechanisms:

Mechanism Occurs when
all always
a an A or AAAA record for the queried (or explicitly specified) domain contains the sender’s IP address
mx an MX record for the queried (or explicitly specified) domain contains the sender’s IP address
ip4 the specified IPv4 address is the sender’s IP address or the specified IPv4 subnet is present
ip6 the specified IPv6 address is the sender’s IP address or the specified IPv6 subnet is present
redirect the sender's IP address is authenticated by the SPF record of another domain
include an additional SPF query for the domain specified in the Include statement, which contains the sender's IP address
exists The sender’s IP address has been authorized based on the client’s connection or other criteria according to (RFC7208)


Qualifiers

Qualifier Description
+ Pass The directive defines authorized senders;
this is the default—if no qualifier is specified, + is assumed
- Fail The directive defines unauthorized senders
~ SoftFail The directive defines unauthorized senders, but the recipient should handle this failure leniently;
this qualifier is intended for testing purposes
? Neutral The directive defines senders whose legitimacy is not to be assessed; the sender must be accepted.