Configuring SPF
Introduction
SPF (Sender Policy Framework) is a method for preventing the forgery of sender addresses. SPF allows mail servers to verify whether an incoming email from your domain originates from a host authorized by the domain administrator.
Prerequisites
- Access to the domain’s DNS zone
Setting the SPF Record
For general information on setting DNS records, see the article DNS Records.
The SPF record determines which IP addresses are authorized to send emails on behalf of your domain.
The following SPF record for the domain example.com allows the IPv4 addresses associated with its A record, the IPv6 addresses associated with its AAAA record, and the IP addresses resolved from the MX record to send emails on behalf of the domain example.com. The -all specifies that no one else is permitted to send emails.
Host
example.com RR Type
TXT Value
v=spf1 a mx -all; Mechanisms
SPF also supports the following mechanisms:
| Mechanism | Occurs when |
|---|---|
| all | always |
| a | an A or AAAA record for the queried (or explicitly specified) domain contains the sender’s IP address |
| mx | an MX record for the queried (or explicitly specified) domain contains the sender’s IP address |
| ip4 | the specified IPv4 address is the sender’s IP address or the specified IPv4 subnet is present |
| ip6 | the specified IPv6 address is the sender’s IP address or the specified IPv6 subnet is present |
| redirect | the sender's IP address is authenticated by the SPF record of another domain |
| include | an additional SPF query for the domain specified in the Include statement, which contains the sender's IP address |
| exists | The sender’s IP address has been authorized based on the client’s connection or other criteria according to (RFC7208) |
Qualifiers
| Qualifier | Description | |
|---|---|---|
| + | Pass | The directive defines authorized senders; this is the default—if no qualifier is specified, + is assumed |
| - | Fail | The directive defines unauthorized senders |
| ~ | SoftFail | The directive defines unauthorized senders, but the recipient should handle this failure leniently; this qualifier is intended for testing purposes |
| ? | Neutral | The directive defines senders whose legitimacy is not to be assessed; the sender must be accepted. |