What Is An SPF Record Checker, And How Does It Validate SPF Records?

What Is An SPF Record And How Does It Work?

An SPF record is a simple text record listing all authorized hostnames and IP addresses permitted to send an email on behalf of an organization’s domain. An SPF acts as an authenticator of those emails by ensuring they were sent by an authorized mail server, thus, preventing spam and forgery.

1. An SPF record is created in the DNS (Domain Name System), defining specific parameters that determine which email servers are authorized to send an email on behalf of the domain name.
2. The inbound mail server verifies the email sender by matching it with the domain’s policies defined in the SPF record.
3. Based on the result of verification, it decides whether to accept, reject or flag the email.

What Is An SPF Record Checker?

An SPF Record Checker is a diagnostic tool that checks and verifies various aspects of an SPF record to ensure its accuracy and reliable performance. It first looks for an SPF TXT Record in the DNS database of a queried domain name. If an SPF record is found, it displays the contents and also lists errors, if any. Many SPF record checkers are available, such as Mimecast DMARC Analyzer, MXToolbox, and Kitterman, to check if the domain name satisfies the necessary parameters using the latest SPF standard specification i.e., RFC 7208.

How Does An SPF Record Checker Validate SPF Records?

There are several characteristics an SPF checker verifies concerning an SPF record to validate it, as listed below:

• Presence Of The SPF Record: The SPF checker will first check if an SPF TXT record is published and return an error if it is not found.
• Multiple SPF Records: There must only be one SPF record present. If multiple records exist, it will warn against it.
• SPF Syntax: A check is executed to see if the SPF record syntax is used correctly.
• Maximum Lookups: One can perform only up to ten DNS lookups. The “include”, “a”, “mx”, “ptr”, and “exists” mechanisms and the “redirect” modifier count against this limit. However, the “all,” “ip4,” and “ip6” mechanisms and the “exp” modifier do not count.
• Use of a PTR mechanism: PTR is deprecated due to its unreliability. There must be an A record instead.
• +All tag: This tag allows anyone to send emails on behalf of a domain name and hence is not recommended. The SPF record checker will return a warning if the +All tag is used.
• Use of record termination: The +All tag is also a record terminator. An alternative to use would be the ‘redirect’ modifier. If any other terminators are found, the checker will again return a warning.
• Characters after ‘All’: The SPF record checker will notify if there are any characters after the ‘All’ tag. There should be none.
• ‘SPF’ type DNS: Usually, the SPF record will be of ‘TXT’ type file. Instead, if it is of the ‘SPF’ type, the checker will return an error as the ‘SPF’ type record is obsolete.
• Maximum void lookups: Void lookups should not be more than two.
• MX resource records: The SPF record checker reports if the SPF record contains any MX (Mail Exchange) mechanism.
• Null values: The SPF checker looks for null values that may result in email delivery problems unless they are there on purpose to avoid sending emails from the particular domain.

What Does The SPF Record Checker Check About The SPF Record Syntax?

The SPF TXT record must abide by a rigid syntax rule for its proper functioning. The SPF record checker thoroughly checks and ensures that the record strictly satisfies each condition in the syntax rule. A typical SPF record looks like this:

SPF_version ip_address1 ip_address2 include:third_party_domain.com all_tag

The following are the constituents of the syntax that the SPF record checker verifies in such a record.

1. The first part defines the SPF version, the most current one being spf1 and written as v=spf1.
2. The SPF version is followed by one or more IP addresses authorized to send emails on behalf of the organization’s domain name.

Example: v=spf1 ip4:123.456.78.200
ip6:af6e:48fe:e45b:ce43:4d5e:00e4:e0da:e4a3

3. An ‘include:’ tag can be used to define any third-party domain authorized for sending email on behalf of the domain name, such as
   v=spf1 ip4:123.456.78.200 ip6:af6e:48fe:e45b:ce43:4d5e:00e4:e0da:e4a3 include:third_party_domain.com.
4. The last part of the record is the ‘all’ tag, which a user can use in three different ways.
   1. -all: It represents ‘Fail’ and means that only the domain’s mail servers (and those in the ‘a’ and ‘include’ sections) are allowed to send emails for the domain. All others are prohibited.
   2. ~all: This form of the tag is generally the recommended option and means a ‘Softfail,’ i.e., only the domain’s mail servers (and those in the ‘a’ and ‘include’ sections) are allowed to send emails for the domain. However, if a server is not listed, the email will be flagged as spam and not rejected. The email will need to be opened with caution.
   3. +all: This condition allows all servers to send emails on behalf of the domain and must not be used as it is the least secure mode.

A complete SPF record example would thus typically look as:

v=spf1 ip4:123.456.78.200 ip6:af6e:48fe:e45b:ce43:4d5e:00e4:e0da:e4a3 include:_spf.google.com ~all

Final Words

An SPF record checker is an indispensable tool that can save valuable time checking SPF records for a domain and help set it up accurately. The SPF record checker tool can help users determine if a suspicious email from a particular domain is spam or not. Using an SPF checker, system administrators can validate an organization’s existing SPF record, ensuring critical business emails are delivered to their customers’ inboxes without fail.