In this article:
Executive Summary
This document outlines the process for implementing a highly secure Sender Policy Framework (SPF) record for domain email authentication. SPF is a vital email authentication technique that mitigates spam and phishing by verifying that incoming emails are sent from authorized servers.
Quick Guide
- Create List of Authorized Email Servers:
- Compile a list of all servers and services authorized to send emails for your domain.
- Compile a list of all servers and services authorized to send emails for your domain.
- Formulate SPF Record:
- Construct a stringent SPF record that includes all authorized sending IPs and services with a strict -all policy.
- Construct a stringent SPF record that includes all authorized sending IPs and services with a strict -all policy.
- Publish SPF Record:
- Add the SPF record to your domain's DNS as a TXT record.
Example:
- Add the SPF record to your domain's DNS as a TXT record.
Validate SPF Record:
- Use tools like MXToolbox, Google Admin Toolbox to validate entry
Notes:
- For domains that do not send email (ex: parked domains), set the record to "v=spf1 –all" to ensure all senders are treated as unauthorized.
- Otherwise, include a list of the IP addresses authorized to send mail in the record. For example, "v=spf1 ip4:1.2.3.4 ip4:5.6.7.8 -all" will treat all senders as unauthorized unless they are included in the ip list specified in the record.
- A domain can also be authorized using an include statement. For example, if you only send emails from google workspace, you can authorize it by specifying the mail service provider in this way "v=spf1 include:_spf.google.com -all".
For more information on SPF syntax: https://datatracker.ietf.org/doc/html/rfc7208#section-5
Full Technical Instructions
Identification of Sending Sources
- Catalog all internal and external email sending sources, including owned mail servers, third-party email services (e.g., Google Workspace, Mailgun), and any automated notification systems.
Creation of the SPF Record
- Construct an SPF record starting with v=spf1, followed by mechanisms (ip4:, include:) for each authorized sender, and conclude with -all to enforce strict adherence.
Example:
Deployment of the SPF Record
- Access your DNS management interface.
- Add a new TXT record with the SPF string.
- For the Name/Host field, use @ or your domain.
- Paste the SPF string in the Value/Text field.
- Set the TTL as advised, typically 3600 seconds.
Verification and Monitoring
- Utilize SPF validation tools (e.g., MXToolbox, Google Admin Toolbox) to confirm correct record setup.
- Regularly monitor email deliverability and SPF failure reports to identify unauthorized sending attempts or necessary updates.
Recommendations and Best Practices
- Strict Policy Enforcement:
- Utilize -all to indicate that emails not matching the SPF should be rejected, ensuring a high-security posture.
- Limit Includes:
- Minimize the use of include: mechanisms to essential services to prevent DNS lookup limits from being exceeded and maintain a concise record.
- Dynamic Update Strategy:
- Periodically review and promptly update the SPF record to reflect changes in email sending practices or service providers.
- Comprehensive Email Security:
- Augment SPF with DKIM and DMARC for a robust email authentication framework, addressing various attack vectors and enhancing domain reputation.
- Testing Before Implementation:
- Prior to finalizing changes, employ SPF testing tools to validate record syntax and prevent potential disruptions in email delivery.