SPF Macros
SPF macros are an effective and important Sender Policy Framework feature that is used when domain owners demand a more dynamic and scalable SPF record for authenticating their email domains. The SPF macros feature is a part of the SPF record syntax, defining character sequences that get replaced by metadata from individual emails requiring SPF validation. This, in turn, helps create simplified SPF records, avoiding the generation of long and complicated SPF records.
SPF Macros Explained
SPF macros are character sequences that can be used to simplify your SPF record configuration by replacing mechanisms defined within the said SPF DNS TXT record, as explained under RFC 7208, section 7.
SPF records are mostly simple, and instructions for the recipients’ servers regarding the treatment of illegitimate emails coming from your domain can be laid down using SPF mechanisms, qualifiers, and modifiers. However, there are certain situations where SPF mechanisms don’t suffice, and SPF macros have to be brought into the picture.
SPF macros are represented by a percent sign (%) and include a combination of two or more letters, modifiers, and delimiters. During the SPF authentication process, the SPF macros are evaluated and replaced with their corresponding values.
For example, the %s and %d denote the sender’s address and domain name linked with the checked identity, respectively.
Modifiers like r,l, or o are applied to extract particular elements of the address or domain, and delimiters like – or . help separate different elements within the macro.
Types of SPF Macros
SPF macros are denoted by different single alphabets or characters that are enclosed by curly braces { }and prepended by a percent (%) sign, that refers to specific mechanisms within your SPF record. Here are the core macros.
- %{s}: The “s” Macro represents the sender’s email address. Example- [email protected].
- %{l}: It’s used to denote the local part of the sender. Example- Mark.
- %{o}: This highlights the sender’s domain. Example: domain.com.
- %{d}: Similar to “o”, this Macro represents the authoritative sending domain. In most cases, it is the same as the sender’s domain; however, it may differ in some cases.
- %{i}: It’s used to extract the IP address of the sender of the message, e.g., 192.168.1.100
- %{h}: The hostname specified by the HELO or EHLO command used during the SMTP connection when the message is being sent is referred to by the %{h}macro.
There are many more Macros that can be specified in your record; however, we listed some common ones.
How do SPF Macros Work?
With SPF macros, domain owners can specify references to certain mechanisms within their SPF record, thereby replacing these mechanisms. During a DNS query by the receiving MTA, the references are then used to extract the mechanisms and expand your record, helping create more manageable and adaptable SPF records.
Given below is an example of Macros used in an SPF record-
“v=spf1 include:%{i}_.%{d}._spf.powerdmarc.com ~all”
- Here, the include: mechanism contains the SPF macros.
- There are two SPF macros, each represented by a character sequence of a percent sign, left curly brace, macro letter, and a right curly brace. In the above example, %{i}denotes the sender’s IP address, and %{d}represents the sender's domain from the ‘MAIL FROM’ command.
- Considering 192.168.1.100 IP to be the IP address of the sending domain, when an email is sent from this IP, the receiving server initiates a DNS query to look up the domain’s SPF DNS record
- Once the receiver looks up the sending domain’s SPF record, it comes across SPF macros, which are then subsequently substituted with their corresponding values.
- This expanded SPF record is then examined to determine whether or not the email manages to pass SPF validation or fails the check.
When are Macros Used in Your SPF Record?
SPF macros can be used in a range of different scenarios depending on the needs of domain owners. They can come in handy if you want to simplify a complex email authentication infrastructure, use several third-party email handling services, or simply want to reduce the size of your SPF record.
Given below are some common cases where SPF macros can prove to be advantageous:
Organizations with a Multi-Domain Infrastructure
Enterprise-level organizations operating multiple domains are the best-suited users for SPF macros, although they can be used by organizations of all sizes. Macros provide substantially more flexibility and effective optimization of SPF records in comparison to traditional flattening methods, to ensure that SPF functions seamlessly in even multi-domain environments. This also eliminates the need for you to create multiple SPF records.
Large Email Infrastructures
Companies with complicated email infrastructures may need to incorporate a number of SPF mechanisms, best optimized using SPF macros. These macros will provide a way to define references to mechanisms, ensuring that the record doesn’t get too long and stays under the RFC-specified length of 512 octets.
Third-Party Services
Organizations using several third-party email vendors can now rest easy knowing that SPF won’t break, thanks to the inclusion of SPF macros that facilitate easy optimization of third-party includes while also ensuring your record doesn’t exceed the permitted limits for DNS and void lookups.
Overcoming SPF Challenges with SPF Macros
You can include multiple SPF macros in a record and get rid of common issues highlighted during SPF inspections done manually or using an SPF checker. Here’s what you can potentially do:
1. Prevent Long SPF Records That Cause Temperror
When your SPF record has multiple include: statements, it can prevent your record from getting too long. However, this is not a permanent solution. By using SPF macros in your domain’s SPF setup, you eliminate the chances of your record exceeding the length limit specified by RFC for DNS TXT records (512 characters).
2. Limit DNS and Void Lookups and Mitigate Permerror
Organizations using multiple third-party sending sources and email vendors are prone to exceeding RFC-specified lookup limitations for DNS queries. This is because every vendor adds at least 1 or multiple lookups. This can pile on and cause your SPF record to break, resulting in SPF permerror.
By using SPF Macros to add references to IP addresses or domains of these external vendors, you can limit unauthorized sources while ensuring that you stay under the lookup limits.
Some Potential Drawbacks of Macros
While SPF macros offer a powerful way to manage complex SPF records, particularly for large organizations, they come with a few drawbacks that can make them a challenging solution.
Complexity and Difficulty in Implementation: SPF macros are not as simple to configure as traditional SPF records. They use a specific syntax with placeholders that must be correctly formatted to be evaluated by receiving mail servers. This complexity can lead to syntax errors, which will invalidate the entire SPF record and cause legitimate emails to fail authentication. It's recommended to use a hosted service with expert support to configure it correctly.
Limited Support and Compatibility: Not all email systems and receiving mail servers fully support or correctly process SPF macros. Legacy infrastructure may not be able to expand or interpret them, leading to unpredictable results. If a mail server doesn't support macros, it may treat the macro as a literal string, which will likely result in SPF failures for all emails sent from your domain.
Standard Email Protocols: SMTP, POP3 & IMAP Free4 m- What is Email Security? Free4 m
- Email Security Practices Free4 m
- Building an Email Security Compliance Model Free5 m
- Corporate Email Security Checklist Free3 m 30 s
- What is the difference between Inbound email security and outbound email security? Free4 m
- What is Information Security? Free4 m
- Zero Trust Security Model Free3 m
- What is a DNS Lookup? Free4 m
- Understanding the 10 DNS Lookup Limit for SPF Records Free3 m
- SPF Void Lookups Explained Free2 m
- Creating and Optimizing SPF records for your own domain Free4 m
Video Free2 m- What is SPF Permerror and How to Fix It Free7 m
- Video Free2 m
- SPF Flattening Free5 m
- SPF Macros Free9 m
- Video Free2 m
- What is SPF Alignment? Free3 m
- How to Set Up Microsoft Office 365 SPF record? Free4 m
- How to Set Up Google Workspace SPF Record? Free2 m
- How to Set Up MailChimp SPF Record? Free3 m
- How to Set Up SendGrid SPF Record? Free2 m
- How to Set Up Salesforce SPF Record? Free3 m
- How to Setup Zoho Mail SPF Record? Free2 m
- What is DKIM Alignment? Free3 m
- DKIM Domain Alignment Failures Free6 m
- How to Set Up DKIM for Microsoft Office 365? Free4 m
- How to Set Up DKIM for Google Workspace? Free3 m
- How to Set Up DKIM for MailChimp? Free4 m
- How to Set Up DKIM for SendGrid? Free3 m
- How to Set Up DKIM for Salesforce? Free3 m
- How to Set Up DKIM for Zoho Mail? Free3 m
- DMARC RFC 9989, 9990 and 9991 Free5 m
- What is DMARC Compliance? Free2 m
- DMARC Compliance Requirements Free2 m
- The Benefits of DMARC Free2 m
- DMARC Configuring Free3 m
- Achieving DMARC Enforcement Free2 m
- DMARC Vs Antispam Solutions Free2 m
- DMARC Identifier Alignment Free2 m
- DMARC sp Tag Exceptions & Uses Free1 m
- Configuring DMARC without DKIM Free3 m
- Configuring DMARC without SPF Free2 m
- DMARC Aggregate Report Views Free3 m
- Video - PowerDMARC Aggregate Reports Free2 m 13 s
- DMARC Forensic Report Views Free2 m
- Video - PowerDMARC Forensic Reports Free0 s
- DMARC Forensic PGP Encryption and Decryption Free2 m
- TLS Report Views Free3 m
- Video - PowerDMARC TLS Reports Free0 s
- PDF/CSV Reports Free2 m
- Video - PowerDMARC PDF/CSV Reports Free1 m 1 s