SPF Record Example: Learn The Role Of Mechanisms In SPF
An SPF record enables a domain to publicly declare which servers are authorized to send emails on its behalf. It is an open standard where the receiving email servers can cross-verify if the email originated from a trusted server. If the server is not on the approved list, the receiving server can consider it ingenuine and take appropriate action. And one can look at any SPF record example, they would find that it is the mechanisms that decide which sources are authorized and which are not.
Mechanisms And Other Components In The SPF Record Syntax
The SPF record syntax can look confusing initially, but the concepts are easy to understand if one knows the basics. Here is an SPF record example.
v=spf1 a mx include:spf.mtasv.net include:_spf.createsend.com ~all
The below explanation of the components and mechanisms in the SPF record can simplify things about how SPF works.
- V=spf1: It indicates the SPF version used.
- a: It indicates if the domain includes an address record.
- mx: As long as the email originates from the domain’s incoming mail servers’ IP address, it suggests a match.
- include: This statement informs receiving servers to include values for all SPF records from other domains.
- all: An SPF record ‘all’ tag indicates that the intended action applies to all messages.
Mechanisms Of SPF That Ensure Email Delivery
Here are some mechanisms found in a typical SPF record that describe the set of hosts designated for outbound mail servers.
- The “all” mechanism – This mechanism is always placed at the end of the SPF record. It means a particular rule applies to all messages.
- The “ip4” mechanism – It allows IP addresses from a range of ip4 addresses having 32 bits.
- The “ip6” mechanism – Like the ip4 mechanism, this mechanism allows IP addresses in a specific range of ip6 addresses, i.e., those with 128 bits.
Other mechanisms include ‘a,’ ‘mx,’ ‘ptr,’ ‘exists,’ ‘include,’ and others.
They can be prefixed with one of the following four qualifiers.
- + (Pass) – This qualifier is used when the mechanism results in a hit. It designates that the host is allowed to send emails.
- – (Fail) – It is the opposite of Pass as the SPF record does not allow the host to send email messages.
- ~ (Soft Fail) – It is similar to a Fail, but it marks the email and maintains it in the transition stage for future delivery/rejection depending on the qualifying conditions.
- ? (Neutral) – This record does not commit anything about the validity of the message.
How Does SPF Ensure Email Delivery?
One should understand that the SPF record does not validate against the ‘From’ domain. Instead, it looks at the ‘Return-Path’ value for validating the originating server. It implies that an email can pass SPF even if the ‘From’ address is fake. The receiving SPF decides whether the email is delivered or not. DMARC is the new standard that addresses this drawback in SPF. The following steps show how an SPF record works to ensure email delivery.
- The receiving email server retrieves the SPF record from the DNS records.
- It checks the SPF record for every IP address authorized to send emails on the domain’s behalf.
- If it authenticates the message, the receiving server approves the sending server and continues with the message processing.
- If the SPF record authentication fails, the server decides the future course of action.
For the above steps to function smoothly, the SPF record must be free of errors, strictly follow the SPF record syntax, and apply mechanisms correctly.
It is easy to create SPF records and equally easy for errors to creep in with its components, including the mechanisms. One can use SPF record testers such as Kitterman SPF tester, Mimecast SPF check, or SPF record check Google offers to ensure SPF record accuracy. An error-free SPF record with the correct mechanisms is critical for any SPF record example as it otherwise cannot ensure email delivery or spoofing prevention. Provided everything is right, an SPF record confirms that emails originating from a domain are genuine and not spam emails. Thus, it ensures guaranteed delivery.
Join the thousands of organizations that use DuoCircle
Find out how affordable it is for your organization today and be pleasantly surprised.