SPF Records

SPF’s are used to help mitigate SPAM emails.  It basically dictates what happens when there’s a failure in a match and what the host should do. I prefer -all when I’m in control of my domains. What’s the use of the SPF if it’s not affective? You have to think about what exactly is the SPF trying to accomplish. The simplest way to think about it is, it’s a pass/fail lookup mechanism.

Example of an SPF record:
v=spf1 ip4:1.1.1.1 include:spf.protection.outlook.com -all

First to start, there’s the version for the SPF record which is “v=spf1“. After that, there are typically two options used when setting up an SPF record. Those are IP4 and INCLUDE. You might also see an A option so I’ll briefly discuss it. These are followed by the “what should I do if it’s a pass or fail?“. This is the last thing you set. That’s where the “all” option comes into play.

ip4:{IP ADDRESS} = IP Addresses that are authorized to send email on my behalf

  • I work for abc.com and when I send email, it get’s the IP 1.1.1.1. That IP Address must be used.
  • I work for abc.com and when I send email for surveys, it get’s the IP 2.2.2.2. That IP Address must be used.

include:{DOMAIN} = Domains that are authorized to send email on my behalf

  • I work for abc.com but I’m sending emails with the xyz.com domain (noreply@xyz.com). I need to have an include for xyz.com domain.

a:{DOMAIN} = DNS A record lookup must match

  • I work for abc.com and when I send email, it get’s the IP 1.1.1.1. When the client receives my email, kcordero@abc.com, abc.com must resolve to 1.1.1.1. If not, it’s a fail.

How do you control Pass/Fail? You use any of these three:

-all = hardfail Fail or Reject if it does NOT match
~all = softfail marked as spam but accept if it does NOT match
+all = email accepted no matter what       :DON’T USE!

NOTE:
It’s not a bad idea to use a softfail when testing email and then change it to hardfail when it’s working correctly.