📓
Knowledge
  • Knowledge Base
  • Applications
    • Gitbook
      • CSS Overrides
    • PiHole
      • Automated Whitelist Script
      • Block Lists
      • Config Files
      • DNS over HTTPS
      • Local DNS
    • SSH
      • SCP
      • SSH Keys
        • ssh-add
        • ssh-agent
        • ssh-keygen
      • SSH on Windows
      • SSH on macOS
    • Youtube-DL
      • Youtube-DL Config File
      • Youtube-DL .netrc File
  • Linux
    • Administration
      • dmesg
      • Unattended Upgrades
      • cron
        • cron.d Directory
        • Listing cron jobs
      • sudo
        • BUG: setrlimit(RLIMIT_CORE) Error
        • Add Sudo Privileges to User
      • System Restart Required
    • Applications
      • Apache
      • ddclient
        • Installing Latest (ddclient)
        • Cloudflare DNS (ddclient)
        • Commands (ddclient)
      • PHP
      • NGINX
        • Configuration Files Structure
    • Commands
      • ln -s : Symbolic Links
      • rsync
    • File System
      • File Management
        • Extended Attributes
        • find (command)
        • rsync (command)
        • tar (command)
      • File Sharing
        • AFP
        • SAMBA
        • NFS
      • Volume Management
      • ZFS on Linux
        • Reference Guides
        • Installing ZFS on Debian
        • Migrating ZFS Pools
        • sharenfs - Native ZFS NFS shares
    • Hardware
    • Networking
      • Disable IPv6
    • New System Setup
      • Debian Setup Guides
      • Disable CloudInit (Ubuntu)
      • Recommended packages
    • Package Management
      • apt Commands
      • apt Logs & History
      • Getting info about Packages
      • dpkg
      • dpkg-query
    • Performance & Diagnostics
      • Memory Usage
      • SMART Drive Tools
      • System Information
    • Remote Desktop
    • SystemD
      • Delay Docker until after ZFS init
      • Documentation for SystemD
      • Show Service's Connections
    • Users & Groups
      • Adding New Users
  • Shells
    • Change Default Shell
      • macOS
    • Get Shell Information
    • Screen
    • Terminal Emulators
      • iTerm2
    • zsh
      • macOS Config
  • macOS
    • Hostname - macOS
    • Homebrew
      • Formulae (packages)
        • speedtest-cli
  • BASH
    • Check if File / Directory Exists
  • Docker
    • Docker Networking
    • Install Docker
      • Enable Memory Swappiness - Linux
    • Docker Compose
      • Environmental Variables for Compose
    • Docker Networking
    • Docker Commands
      • docker attach
  • Python
    • Virtual Environments
  • Web Services
    • DNS Records
      • DNS SPF Record
      • WHOIS - Lookup
    • Domain Parking
    • IANA Registered Ports & Services
Powered by GitBook
On this page
  • Summary
  • Detail
  • How to create your SPF record?
  • Step 1: Collect all IP addresses that are used to send email
  • Step 2: Create your SPF record
  • Domains without Email
  1. Web Services
  2. DNS Records

DNS SPF Record

The DNS SPF record is used in mail domain reputation.

PreviousDNS RecordsNextWHOIS - Lookup

Last updated 4 years ago

Summary

An SPF record is a TXT record that is part of a domain’s DNS (Domain Name Service). An SPF record lists all authorized hostnames / IP addresses that are permitted to send email on behalf of your domain.

Detail

The DNS SPF record is used in mail domain reputation. The Sender Policy Framework (SPF) allows a domain owner to specify in a DNS record the list of servers which can be trusted for sending email for the domain. The main objective is to reduce the amount of SPAM and phishing sent from a domain on behalf of the official servers.

The content of the SPF information is stored in a DNS TXT record with a prefix v=spf1 associated with a domain record. Multiple information can be provided and a useful include function is available for automatically inserting the SPF information from a provider.

Each mail server receiving an email from a server (eg MTA – mail transfer agent) can check whether the origin can be trusted and take a routing or delivering decision accordingly. By requesting the DNS SPF record associated to the sender domain, it can obtain the list of servers that are authorized to send email, either their IP address (field ip4 or ip6), their name (field a) or their mail exchanger (field mx).

Curious about this? Check any message in your inbox and take a look at the header (see source option), you may find a Received-SPF: header if this email has passed an SPF validation.

Source :

How to create your SPF record?

To protect your brand against spoofing and phishing attacks you have to authenticate your email.

Step 1: Collect all IP addresses that are used to send email

The Sender Policy Framework (SPF) gives the ability to authenticate your email and to specify which IP addresses are allowed to send email on behalf of the specific domain.

In order to successfully implement SPF you first need to identify which mail servers are used to send email for your domain. These mail servers can be any sending organization, you should think of your Email Service Provider, Office mail server and any other third-party mail servers that may be used to send email for you.

Gathered all sending email servers?

Step 2: Create your SPF record

  1. Start with the SPF version, this part defines the record as SPF. An SPF record should always start with the version number v=spf1 (version 1) this tag defines the record as SPF. There used to be a second version of SPF (called: SenderID), but this was discontinued.

  2. After including the v=spf1 SPF version tag you should follow with all IP addresses that are authorized to send email on your behalf. For example: v=spf1 ip4:34.243.61.237 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e

  3. Next, you can include an include tag for every third-party organization that is used to send email on your behalf e.g. include:thirdpartydomain.com. This tag indicates that this particular third party is authorized to send email on behalf of your domain. You need to consult with the third party to learn which domain to use as a value for the ‘include’ statement.

  4. Once you have implemented all IP addresses and include tags you should end your record with an ~all or -all tag. The all tag is an important part of the SPF record as it indicates what policy should be applied when ISPs detect a server which is not listed in your SPF record. If an unauthorized server does send email on behalf of your domain, action is taken according to the policy that has been published (e.g. reject the email or mark it as spam).What is the difference between these tags? You need to instruct how strict servers need to treat the emails. The ~all tag indicates a soft fail and the -all indicates a hardfail. The all tag has the following basic markers: -all Fail – servers that aren’t listed in the SPF record are not authorized to send email (not compliant emails will be rejected). ~all Softfail – If the email is received from a server that isn’t listed, the email will be marked as a soft fail (emails will be accepted but marked). +all We strongly recommend not to use this option, this tag allows any server to send email from your domain.

• After defining your SPF record your record might look something like this:

v=spf1 ip4:34.243.61.237 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e include:thirdpartydomain.com -all

Domains without Email

For domains that aren’t sending email, we recommend you to publish the following record TXT: v=spf1 -all

Indicate that a domain does not send any mail by setting up an empty SPF record with a hard fail policy:

sampleparkeddomain.com TXT "v=spf1 -all"

Now you’ve got a clear overview of all sending domains, you have to create an SPF record for every domain, even if the domain doesn’t actively send email (more information about: ).

There are many available SPF tags, more information can be found at the .

How to secure inactive/parked domains
SPF parts explanation page
DNS SPF RecordEfficientIP
Example SPF record
Logo