SPF Tags: Syntax of an SPF Record Explained
The SPF record syntax comprises several elements–Directives, Qualifiers, and Mechanisms.
Directives are the first part of an SPF record syntax. They indicate how to interpret the rest of the record. Three directives can appear in an SPF record: v=spf1, a, and MX. The v directive indicates that this record is an SPFv1 record; the a directive indicates that this record is an SPFv2-style authentication failure report; the mx directive specifies a list of mail exchange servers for a domain.
Qualifiers specify where in your DNS zone you want to place your SPF records: exim4, enduser, or _spf. These qualifiers tell mail receivers where to look for your SPF records when they're checking them against their DNS records.
Mechanisms are used to indicate how you want to handle email addresses that fail your SPF check. You can choose from several mechanisms: all, none, softfail, neutralize, or reject.
● all mechanism will accept all emails from senders who have passed your SPF check;
● none will reject everything from senders who have passed your SPF check;
● softfail will accept emails from senders who have failed an SPF check, but mark them as suspicious;
● neutral states that you're neither rejecting nor accepting messages sent from your domain—it's essentially a "no opinion" stance on whether the message should be accepted or rejected;
● reject will reject emails that failed the SPF check.
SPF Record Syntax Qualifiers
The "qualifiers" in an SPF record syntax help to indicate the scope of the SPF record. These are primarily used to indicate whether or not a specific IP address is authorized to send emails on behalf of your domain.
Qualifier | Result Code | Explanation |
+ | Pass | the only qualifier with no negative connotation. It indicates that the domain name's security record contains no errors or warnings and is considered secure. |
- | Fail | indicates that the domain name's security record contains errors or warnings that prevent it from being considered secure.
|
~ | Softfail | indicates that the domain name's security record contains errors or warnings that do not prevent it from being considered secure, but may indicate problems with DNS resolution or other issues related to DNS trust anchors. |
? | Neutral | Indicates that the domain has no SPF record or its record was syntactically correct but did not match any sending servers when checked against one (or more) sending servers in your list of trusted IP addresses for that domain. |
SPF Record Syntax Mechanisms
Mechanisms are used in the SPF record syntax to tell the receiving server what kind of authentication mechanism should be used. There are two types of mechanisms:
● the sender can specify a specific set of mechanisms;
● Or it can specify that all mechanisms are allowed.
Mechanism | Purpose | Directive Applies When | Implementation |
a | defines the DNS A record of the domain as authorized. If this directive is unspecified, then the current domain is used.
| can be applied when queried for an A or AAAA record in a domain that contains the sender's IP address. | a a/<prefix-length> a:<domain> a:<domain>/<prefix-length> |
all | The all directive is always matched, and it defines the policy for all other sources. | This mechanism should always be applied, and this mechanism always matches. | all |
exists | Checks whether or not an A record is valid for a given domain. It works by looking at all A records on that domain and seeing if any of them match the criteria set out in your SPF record. | Applies when there is any A record on said domain or if other criteria, according to RFC7208, were authorized. | exists:<domain> |
include | The purpose of this mechanism is to specify the domain and search for a match, as well as to return a permanent error if the domain does not have a valid SPF record. | The "include" mechanism in SPF records can be used to include other SPF records within a domain's record. If a domain does not have an SPF record, but another domain does and that other domain has an IP address that matches the IP address of the sender, then the "include" mechanism will cause the domain with the matching IP address to be used for authorization purposes.
| include:<domain> |
ip4 | You can specify an IPv4 range with the "ip4" directive, along with a prefix that denotes the length of the range. If no prefix is specified, /32 is assumed. | The "ip4" mechanism will apply if any of these conditions are true:
- The specified IPv4 address matches that of an IP address in your SPF record.
- The specified IPv4 subnet contains the sender's IP address. | ip4:<ip4-address> ip4:<ip4-network>/<prefix-length> |
ip6 | You can specify an IPv6 range with the "ip4" directive, along with a prefix that denotes the length of the range. If no prefix is specified, /128 is assumed. | The "ip6" mechanism will apply if any of these conditions are true:
- The specified IPv6 address matches that of an IP address in your SPF record.
- The specified IPv6 subnet contains the sender's IP address. | ip6:<ip6-address> ip6:<ip6-network>/<prefix-length> |
mx | The "mx" mechanism, as defined in the SPF record, defines the Domain Name System (DNS) Mail Exchanger (MX) record of a domain as authorized. | The DNS MX record determines which server is responsible for accepting email messages on behalf of the domain. The DNS MX record contains an IP address and a priority value for each server that can be used to accept messages.
When an MX record of a domain contains an IP address that matches the sender's IP address, then this indicates that this sender is authorized to send emails on behalf of this domain. | mx mx/<prefix-length> mx:<domain> mx:<domain>/<prefix-length> |
ptr | The ptr mechanism uses the reverse hostname or subdomain of the sending IP address to define the target domain name. | Only applies if there is at least one MX record for the queried or specified domain and that MX record contains a PTR record with an FQDN for the sender’s IP address. | ptr ptr:<domain> |
SPF Record Syntax Modifiers
In the SPF record syntax, modifiers can be used to change the default behavior of an SPF record. Modifiers may be used to specify exceptions to the rules, or they may be used to provide additional information to the receiver.
Modifier | Purpose | Implementation |
exp | The "exp" modifier is a value that specifies an explanation for why a message was rejected. It is intended to help senders avoid certain kinds of issues, and can be used to inform them about the specific reason their message was not accepted by the receiving server. | exp=<domain> |
redirect | The redirect modifier is a string that replaces the entire domain name in the SPF record. The purpose of this modifier is to redirect all mail sent to the domain to another server. This may be useful for domains with multiple MX records or for domains that have been re-assigned to another company but are still using the same email addresses. | redirect=<domain> |
Example of an SPF record:
What is SPF? Free2 m
Video Introduction to SPF Free1 m 41 s- A Brief History of SPF Free1 m
- How does SPF work? Free2 m
- SPF Tags: Syntax of an SPF Record Explained Free3 m
- How to create and publish SPF records? Free2 m
- SPF Authentication Failures Free3 m
- Video Explanation: SPF PermError Free1 m 39 s
Quiz 430 m
- What is DMARC? Free1 m
- Video Introduction to DMARC Free1 m 15 s
- A Brief History of DMARC Free1 m
- How does DMARC work? Free2 m
- What is DMARC Policy? : None, Quarantine & Reject Free2 m
- Video Explanation: DMARC Policy Free1 m 40 s
- DMARC Tags Free2 m
- DMARC Aggregate (RUA) Reports Free3 m
- DMARC Forensic (RUF) Reports Free2 m
- How to Create and Publish a DMARC Record? Free3 m
- DMARC Authentication Failures Free3 m
- Video Explanation: Why does DMARC Fail? Free1 m 37 s
- Quiz 630 m