Yes, absolutely. The Sender Policy Framework (SPF) specification explicitly allows for the use of Classless Inter-Domain Routing (CIDR) notation in both its ip4 and ip6 mechanisms. This is a crucial feature for anyone managing email authentication for their domain, as it provides a concise way to authorize entire ranges of IP addresses that are permitted to send email on your behalf.
Instead of listing dozens or even hundreds of individual IP addresses, you can use a single CIDR range to cover them all. This not only simplifies your SPF record but also helps you stay within the protocol's limits. Let's explore how it works.
Understanding SPF mechanisms and CIDR notation
First, a quick refresher. An SPF record is a DNS TXT record that lists authorized mail servers for a domain. Within this record, you use different 'mechanisms' to define which servers are authorized. The ip4 and ip6 mechanisms are the most direct way to do this; they authorize specific IP addresses or networks.
CIDR notation is what allows you to specify those address ranges. It consists of an IP address followed by a slash and a number, like 192.168.1.0/24. The number after the slash indicates how many bits of the IP address are fixed, defining the size of the network. This is far more efficient than listing every single IP address in that range.
How to correctly implement CIDR notation in SPF
Using CIDR notation in your SPF record is straightforward. You simply add the IP network and prefix length to the appropriate mechanism. Here are a few examples of what this looks like in practice:
- For a range of IPv4 addresses: v=spf1 ip4:198.51.100.0/24 ~all. This example authorizes any IP address from 198.51.100.0 through 198.51.100.255.
- For a range of IPv6 addresses: v=spf1 ip6:2001:db8:abcd::/48 ~all. This authorizes all addresses within that sizable IPv6 block.
- For a single IP address: v=spf1 ip4:198.51.100.1 ~all. Note that if you omit the CIDR prefix, it defaults to /32 for IPv4 and /128 for IPv6, meaning a single address.
Why use CIDR in your SPF record?
The primary benefit is efficiency. Many email service providers assign their customers a range of IP addresses for sending mail. Without CIDR notation, you would have to list every single IP address separately. This would make your SPF record long, difficult to read, and more prone to errors. It also helps in avoiding the 10 DNS lookup limit imposed by SPF, since ip4 and ip6 mechanisms do not count toward this limit.
Common mistakes and best practices
While powerful, using CIDR notation requires care. A simple mistake can either invalidate your record or, worse, authorize a much broader range of IPs than intended, creating a security gap. Here are some key things to keep in mind:
- Be precise. Only include IP ranges that you control or are explicitly used by your vendors. Avoid overly broad ranges, like a /16, unless you are absolutely sure you own the entire block.
- Check for typos. A mistake in the IP address or the prefix length (e.g., /254 instead of /24) can lead to a permanent error (permerror), causing validation to fail.
- Know the defaults. As a reminder, if you omit the prefix, it defaults to /32 for ip4 and /128 for ip6. This is correct for a single IP but will not work for a range.
- Always use an 'all' mechanism. End your record with ~all (SoftFail) or -all (Fail) to provide a clear policy for all other senders not listed.
What SPF mechanism allows for IP addresses?
Can an SPF record contain multiple 'v=spf1' declarations?
What SPF mechanism refers to other SPF records?
What SPF mechanism includes the A records of a domain?
What SPF mechanism includes the MX records of a domain?
Can an SPF record use both 'ip4' and 'ip6' mechanisms?
