How does SPF work?
Creating an SPF Record
You create an SPF record syntax in your DNS server that specifies which IP addresses are permitted to send emails from your domain. This means that if someone were trying to send spoofed emails from your domain, their messages would fail because the IP address of their mail server would not be listed as one of the approved servers.
For example, if you want only Gmail accounts to be able to send mail from your domain name, but not Outlook accounts, then you would add the following line to your SPF record:
v=spf1 a mx include:_spf.google.com ~all
This tells servers that any messages sent from any host whose IP address ends with _spf.google.com should be considered valid, whereas all other messages should be discarded.
DNS Lookup
When an email sender attempts to send a message, the recipient server performs a DNS lookup on the sending domain to see if there is an SPF record—this is called “authentication.”There is a limit of 10 lookups allowed per query, exceeding which leads to SPF permerror.
If there is no SPF record, then authentication fails and the message is not delivered. If there is an SPF record, then the SPF server checks for IP addresses in the TXT record at the hostname specified in the SPF record.
If there are no IP addresses specified, then it will fail authentication. Otherwise, it will perform an A query for each IP address specified in the order of appearance in the TXT record.
The IP address that returns a result code of NXDOMAIN or NOERROR will be considered authorized by the SPF server and its hostname will be added to a list of authorized sending hosts for that domain.
Authentication Outcome
The mail server either delivers the message to the recipient or flags it for rejection based on the rules specified in the SPF record.
Authentication outcomes can take three forms: Pass, Neutral, or Fail.
Pass means that the mail server accepts the message as legitimate and allows it to be delivered. Neutral means that there is either no record at all or an invalid one for that domain in DNS, so there is no way of knowing whether or not this is a legitimate message from that domain. Fail means that something about this message was not authentic enough for it to be delivered.
For example, a mail server with IP address ‘234.2.1.2’ sends an email from ‘join@apple.com’. The inbound server will consult the domain name service (DNS) to determine if this IP address is authorized to send emails on behalf of the ‘apple.com’ domain. If so, the message will be delivered; otherwise, it will be discarded or marked as spam i.e sorted according to the mechanism specified in the SPF record.
What is SPF? Free2 m
Video Introduction to SPF Free1 m 41 s- A Brief History of SPF Free1 m
- How does SPF work? Free2 m
- SPF Tags: Syntax of an SPF Record Explained Free3 m
- How to create and publish SPF records? Free2 m
- SPF Authentication Failures Free3 m
- Video Explanation: SPF PermError Free1 m 39 s
Quiz 430 m
- What is DMARC? Free1 m
- Video Introduction to DMARC Free1 m 15 s
- A Brief History of DMARC Free1 m
- How does DMARC work? Free2 m
- What is DMARC Policy? : None, Quarantine & Reject Free2 m
- Video Explanation: DMARC Policy Free1 m 40 s
- DMARC Tags Free2 m
- DMARC Aggregate (RUA) Reports Free3 m
- DMARC Forensic (RUF) Reports Free2 m
- How to Create and Publish a DMARC Record? Free3 m
- DMARC Authentication Failures Free3 m
- Video Explanation: Why does DMARC Fail? Free1 m 37 s
- Quiz 630 m