What is the primary purpose of an SPF record?

The primary purpose of an SPF record is to prevent email spoofing. It allows domain owners to publish a list of authorized mail servers that are permitted to send email on behalf of their domain. Receiving mail servers can then check this record to verify that incoming mail from your domain originates from a legitimate source.

How does the 'ip4' mechanism differ from the 'a' mechanism?

The ip4 mechanism explicitly lists individual IPv4 addresses or CIDR ranges. The a mechanism, on the other hand, implicitly authorizes IP addresses by performing a DNS lookup on the domain's A records, allowing any host with a matching A record to send mail.

Why is the 'include' mechanism important?

The include mechanism is vital when using third-party email service providers. It allows you to delegate sending authority to another domain's SPF record, ensuring that emails sent through those services are also considered legitimate. This avoids having to list all of their IP addresses directly in your own SPF record.

What happens if my SPF record exceeds the 10-DNS-lookup limit?

If your SPF record exceeds the 10-DNS-lookup limit, it will result in a PermError . This means that the receiving mail server cannot fully evaluate your SPF record, often leading to legitimate emails being treated as suspicious, rejected, or sent to spam. Tools like SPF Flattening can help manage this by reducing the number of lookups.

What SPF mechanism includes the IP addresses of the sending domain? - SPF - Email authentication - Knowledge base

Stylized email envelope with a shield icon, representing SPF protecting sending IP addresses

Sender Policy Framework, or SPF, is a critical email authentication standard that helps prevent email spoofing and phishing. It allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. This is achieved by publishing an SPF record as a DNS TXT record for their domain.

The core of SPF's functionality lies in its mechanisms, which are specific rules defining authorized sending sources. When an email server receives an email, it checks the sender's domain's SPF record to verify if the sending IP address is listed as authorized. Among these mechanisms, several are designed to include or derive the IP addresses of the sending domain. To learn more about how SPF works, check out this simple guide to DMARC, SPF, and DKIM.

Authorizing specific IP addresses directly

The 'ip4' and 'ip6' mechanisms

The most direct way to include the IP addresses of the sending domain is through the ip4 and ip6 mechanisms. These mechanisms explicitly list the IPv4 or IPv6 addresses, or ranges of addresses, that are authorized to send mail for your domain. This provides precise control over which specific IP addresses are permitted. If you are looking for what SPF mechanism allows for IP addresses, this is it.

You can specify individual IP addresses or use CIDR notation to define a range of IPs, for instance, ip4:192.0.2.1 for a single address or ip4:192.0.2.0/24 for a network block. This mechanism is ideal for mail servers you directly control or for dedicated IP addresses used by your email service provider. It is important to know if SPF allows for CIDR notation in these mechanisms.

Example SPF record with ip4 mechanismdns

v=spf1 ip4:192.0.2.1 ip4:198.51.100.0/24 -all

Including IP addresses via 'A' records

Leveraging the 'a' mechanism

The a mechanism is another way to implicitly include IP addresses. It authorizes any host that has an A record (or AAAA record for IPv6) in the DNS that resolves to the IP address of the sending email server. This means if your mail server's hostname has an A record pointing to its IP address, and that hostname is specified in your SPF record, then its IP address is authorized. You can explore what the SPF 'a' mechanism is for.

For instance, if your domain example.com has an A record for mail.example.com and you include a:mail.example.com in your SPF record, the IP address resolving from mail.example.com will be authorized. The a mechanism is particularly useful for smaller organizations or those with straightforward mail setups where the email server's hostname is directly associated with the sending domain. It essentially includes the A records of a domain for authorization.

Direct IP authorization ('ip4' and 'ip6')

Explicit Control: You list the exact IP addresses or CIDR ranges.
No DNS Lookups: Recipients do not need to perform additional DNS queries for IP resolution.
Maintenance: Requires manual updates if IP addresses change.

Implicit IP authorization ('a' mechanism)

Dynamic Resolution: IP addresses are derived from the domain's A records at the time of check.
DNS Lookups: Each A record check counts towards the SPF 10-lookup limit.
Ease of Use: Automatically updates if the A record's IP changes.

Using 'MX' records for authorization

Authorizing via 'MX' records

The mx mechanism authorizes all the mail exchangers (MX records) for the current domain to send mail. This is particularly useful if your outbound mail is sent through the same servers that receive your inbound mail. Like the a mechanism, mx implicitly includes IP addresses by performing DNS lookups to find the A records associated with the MX hostnames. This is what the SPF MX mechanism means.

If your domain's MX records point to a mail server like mail.example.org, then any IP address that mail.example.org resolves to will be considered an authorized sender. This is a common setup for organizations managing their own email infrastructure. Remember, each MX record lookup counts towards the 10-DNS-lookup limit for SPF. The Microsoft documentation on setting up SPF provides further details.

Important consideration for 'MX' mechanism

While convenient, relying solely on the mx mechanism can sometimes be problematic. If your outbound mail is sent through a different set of servers than your inbound mail, or if you use third-party email services, you will need to incorporate other mechanisms like ip4, a, or include to authorize those sending sources adequately.

Incorporating third-party senders with 'include'

Delegating authority with 'include'

For organizations using third-party email services like marketing platforms, CRM systems, or transactional email providers, the include mechanism is essential. This mechanism allows you to refer to another domain's SPF record, effectively incorporating its authorized sending IP addresses into your own SPF policy. Your SPF record will then refer to another domain's SPF record for validation.

When an email receiver checks your SPF record and encounters an include mechanism, it will perform a DNS lookup for the SPF record of the specified domain. All IP addresses authorized by that third-party SPF record will then be considered authorized for your domain as well. This is a common and necessary practice for modern email ecosystems, but it's crucial to be aware of the SPF 10-DNS-lookup limit. Exceeding this limit can lead to SPF validation failures. Services like Suped's SPF Flattening can help manage this complexity.

Graphic showing an SPF 'include' mechanism delegating authority to a third-party service

Best practices for SPF records

Ensuring robust SPF implementation

To ensure your SPF record is effective, it's crucial to accurately identify all legitimate sending sources, whether they use explicit IP addresses (like with ip4 and ip6), or implicit ones (via a and mx), or delegated ones (include). Regularly review and update your SPF record to reflect any changes in your email infrastructure or third-party sending services. An outdated SPF record can lead to legitimate emails being flagged as spam or even rejected.

Beyond SPF, implementing DMARC (Domain-based Message Authentication, Reporting, and Conformance) is crucial for comprehensive email security. DMARC builds upon SPF and DKIM to provide reporting and policy enforcement, giving you visibility into how your domain is being used and allowing you to instruct receiving mail servers on how to handle emails that fail authentication. For robust DMARC monitoring and management, Suped offers an intuitive platform with AI-powered recommendations to simplify your email security journey.

Conclusion

Key takeaways for SPF IP authorization

The SPF mechanisms that include the IP addresses of the sending domain are primarily ip4 and ip6 for explicit listings, and a and mx for implicit authorization via DNS records. Additionally, the include mechanism is vital for incorporating third-party senders into your authorized list. Each plays a specific role in defining your domain's sending policy.

Proper configuration of these SPF mechanisms is fundamental to achieving good email deliverability and protecting your domain from unauthorized use. By clearly defining your authorized sending IPs, you strengthen your email security posture and ensure your messages reach their intended recipients without being caught in spam filters or blocklists (blacklists).