How An SPF Validator Works & Allows Users To Test SPF Records

How An SPF Validator Can Help You Validate Your SPF Records

An SPF Validator performs various tests on a domain. The first check an SPF validator performs is verifying if an SPF record is present. If there is no SPF record, it reports with a message “None” or “No SPF Record found.”

Next, an SPF validator validates the SPF record by checking if the SPF syntax is accurate and contains the necessary elements. The correct SPF syntax is shown below.

SPF Syntax

One of the main tasks of an SPF validator is to check if the SPF syntax is correct. The syntax presented below shows its various components and the different mechanisms against which the tests are performed:

SPF_version a:example.com mx ip4_address1 ip6_address2 include:third_party_domain.com all_tag

Here’s An SPF Record Example

A typical SPF record example of an SPF record, based on the above syntax, is shown below. Specific values have been assigned to each parameter in the syntax.

v=spf1 a mx ip4:69.64.153.131 include:_spf.google.com ~all

For the above example, the SPF validator performs the following tests:

• It checks whether the SPF version is the most recent one in keeping with the Internet Engineering Task Force (IETF). The current version is “spf1,” as defined by RFC 7208.
• The SPF validator then checks all the “a” records for the domain to see if the client IP address is found among them.
• It tests the “a” record for all the MX records belonging to the domain to match the client IP.
• There are three ways to include IP addresses in the SPF record: single, multiple non-sequential, or multiple sequential IP addresses. The SPF validator will test if there is a match with one of the IP addresses to validate the SPF record.
• The “all” mechanism is used at the end of the SPF record, coupled with a qualifier such as -, +, or ~. The SPF validator verifies that there is an “all” mechanism present. It will also warn against using the ‘+’ qualifier since the domain allows all IP addresses on the internet to send emails in such a case, which is not recommended. Why the ‘all’ mechanism is crucial is described below.

The Importance Of SPF ~All

The “all” mechanism determines what to do with an email that does not pass authentication. The SPF validator will first check for the presence of the ‘all’ mechanism. If there is none, it will report so. If it is present, it performs a test on it and determines what qualifier is prefixed with it to report errors and suggestions accordingly.

If there is no qualifier, incoming email servers will assume “+” is intended and allow all emails to be delivered. The SPF validator will issue a warning since it is not a recommended method. The use of the “-all” is also generally limited as it only allows emails that pass the other mechanisms. Emails that do not match are not allowed to be delivered and are discarded. On the other hand, if the SPF record is correctly validated by eliminating all errors, old and unused DNS records, third-party “includes,” and other common mistakes, the user may confidently use the “-all” mechanism.

The “~” denotes “softfail,” allowing email that does not ‘pass’ to be delivered to the recipient’s inbox but in a marked state as a warning to the receiver. The “~all” is the recommended option, and the SPF validator will typically perform a test and suggest its use. The suggestion is made because sometimes an SPF record may be set up incorrectly or not updated to list authorized third-party domains. Other “includes” and specific IP addresses. It causes legitimate emails to be dropped.

Additional Tests Performed By The SPF Validator

Since SPF TXT records are limited to ten DNS lookups, they cannot include more than ten references to other domains. An SPF validator will test how many lookups are generated and warn if there are more than ten. Instances of tags like a, ms, include, and ptr also count against lookups along with nested lookups.

The SPF validator also checks for other common mistakes listed below:

• More than one SPF TXT record
• Mentioning IPv4 instead of ip4
• Checking for spaces where needed
• Removing ‘dead’ or old DNS records that are no longer valid and causing a ‘Perm Error” to occur
• Removing third-party “includes” that are no longer in use

Some SPF Generators Can Also Be Used As Validators

An SPF generator can simplify the task of creating an SPF TXT record for a domain. An SPF generator checks if the domain has an SPF record. If not, it presents an SPF Wizard where the user can fill in the required details such as the hostname, IP addresses, third-party domains, and the “all” mechanism. The SPF generator acts as an SPF validator right from the start guiding the user through setting up a proper SPF TXT record.

Final Words

An SPF Validator constitutes a vital tool for domain administrators to perform tests and make necessary corrections to the SPF record for a domain. Keeping an SPF record current and updated is essential for organizations to prevent business emails from being lost or treated as spam. Moreover, it saves the organization from a negative reputation due to email spoofing by malicious actors on its domain.