December 2021

  • DNS

    What is an SPF record and How Does it Work?

    E-mailing is not new, but it keeps being a widely-used communication form. It’s the official way companies use to approach clients, employees, providers, etc. 

    Cybercriminals know it, so they try all sorts of malicious tricks to get into your communications. Spoofing here and there, they can send e-mails on companies or people’s behalf just to use their reputation and trustability to cheat others. 

    That’s why the SPF (sender policy framework) protocol emerged for making e-mailing a safer game.

    You (administrator) have the way to limit who can send messages from the domain, and the recipient can check such authorization to decide and take proper actions. It sounds already less risky, don’t you think so?

    What is an SPF record?

    An SPF record or sender policy framework record is a DNS TXT record that lists the servers that have the authorization to send e-mails from a specific domain. It uses TXT, meaning administrators can enter text into the DNS through this record. 

    Before the SPF record, the SMTP (simple mail transfer protocol) didn’t authenticate the “from” (address) of e-mails. That facilitated criminals to spoof a trustable sender for cheating a recipient. Faking the address of a bank or a government office spoofers pushed victims to share their sensitive data or to take specific action against their own finances or interests. The SPF record was created to add the possibility of authentication and avoid these risks.

    An SPF record must have in its list the sender’s IP address of a message to deliver it. Otherwise, it will be discarded or marked as spam. 

    Besides the SPF record, you also have DMARC (domain-based message authentication, reporting, and conformance) and DKIM (DomainKeys Identified Mail) records to confirm if the source and e-mail come from is risky or trustable. 

    How does an SPF record work?

    Servers that receive e-mails verify SPF records by requesting the domain’s return-path value located on the e-mail’s headers. The recipient’s server takes the return path to look for a TXT SPF record in the DNS server of the sender. 

    An SPF record correctly configured will show the list of authorized mail servers. If an IP address is not included on the list, it will fail the verification test.

    SPF records work through mechanisms and qualifiers. Mechanisms help to set up who is authorized to send messages on behalf of a domain. While qualifiers are the actions that must be executed when a mechanism is matched. 

    Mechanisms:

    “all”, everything after it must be ignored.

    “mx”, it performs MX lookup to check the addresses. Then compare with the return path. A match will allow it.

    “a”, through it, A and AAAA records are tested and compared with the return address. In case of a match, everything is fine.

    “include”, it starts a recursive host test. With it, other domains can be included for sending e-mails from the outgoing mail servers.

    “exists”, it helps to construct an arbitrary domain name used for a DNS A record query.

    “ptr”, it checks the reverse DNS route if the IP address points to the domain name. If the IP address belongs to the domain, it will be validated.

    “ip4”, it checks if the IPv4 address belongs to the IP network.

    “ip6”, it checks if the IPv6 address belongs to the IP network.

    Qualifiers:

    “+” pass

    “-” fail

    “~” softfail

    “?” neutral

    Conclusion.

    SPF record is a great ally to fight back spoofers, reduce bouncing e-mails, and keep your good reputation safe! Set it up. You won’t regret it!