This article explains what Sender Policy Framework (SPF) is, how it works, and how SPF records are structured. It includes detailed explanations of SPF mechanisms, modifiers, evaluation logic, and example policies.
Quick Tips
The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery. The current version, SPFv1 or SPF Classic, protects the envelope sender address used during mail delivery.
SPF specifically limits DNS lookups during evaluation. SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including lookups caused by the include mechanism or the redirect modifier.
If this number is exceeded during a check, a PermError MUST be returned.
The following mechanisms count against this limit:
- include
- a
- mx
- ptr
- exists
- redirect
The following mechanisms do not require DNS lookups and do not count against this limit:
- all
- ip4
- ip6
Sender Addresses in E-Mails
Email messages contain two sender addresses. One appears on the envelope and one appears in the letterhead. The envelope sender address, sometimes called the return path, is used during transport between mail servers. It is usually not displayed to the user.
The header sender address appears in the From or Sender header and is displayed to users. Mail servers typically evaluate the envelope sender address during SPF validation.
SPFv1 allows the owner of a domain to specify which mail servers are authorized to send mail from that domain. The domain owner publishes this policy in an SPF record in DNS. When a receiving mail server processes a message claiming to originate from that domain, it can verify whether the sending server complies with the published policy.
An Example Policy
Example SPF record:
example.net. TXT "v=spf1 mx a:pluto.example.net include:aspmx.googlemail.com -all"
The parts of the SPF record mean:
- v=spf1 indicates SPF version 1
- mx authorizes the domain’s MX servers to send mail
- a:pluto.example.net authorizes that specific host
- include:aspmx.googlemail.com allows servers authorized by Gmail
- -all specifies that all other servers are not authorized
This example demonstrates only part of SPF’s capabilities and should not be used directly without careful testing. Legitimate messages may be blocked if misconfigured.
Receiver-Side Checking
SPF policies are enforced by receiving mail servers. Most modern mail servers support SPF checking either natively or through extensions.
SPF Record Syntax
Mechanisms
Mechanisms can be prefixed with one of four qualifiers:
- "+" Pass
- "-" Fail
- "~" SoftFail
- "?" Neutral
If a mechanism results in a match, its qualifier value is used. The default qualifier is "+", which means Pass.
"v=spf1 -all" "v=spf1 a -all" "v=spf1 a mx -all" "v=spf1 +a +mx -all"
Mechanisms are evaluated in order. If no mechanism or modifier matches, the default result is Neutral.
If a domain has no SPF record, the result is None. If there is a temporary DNS processing issue, the result is TempError. If there is a syntax or evaluation error, the result is PermError.
Evaluation Results
- Pass The SPF record designates the host to be allowed to send. Accept.
- Fail The SPF record designates the host as not allowed to send. Reject.
- SoftFail The SPF record designates the host as not allowed but is in transition. Accept but mark.
- Neutral Nothing can be said about validity. Accept.
- None No SPF record exists. Accept.
- PermError Permanent error such as badly formatted SPF record.
- TempError Transient DNS error.
The "all" Mechanism
"v=spf1 mx -all" "v=spf1 -all" "v=spf1 +all"
The "ip4" Mechanism
"v=spf1 ip4:192.168.0.1/16 -all"
The "ip6" Mechanism
"v=spf1 ip6:1080::8:800:200C:417A/96 -all"
The "a" Mechanism
"v=spf1 a -all" "v=spf1 a:example.com -all" "v=spf1 a:mailers.example.com -all" "v=spf1 a/24 a:offsite.example.com/24 -all"
The "mx" Mechanism
"v=spf1 mx mx:deferrals.domain.com -all" "v=spf1 mx/24 mx:offsite.domain.com/24 -all"
The "ptr" Mechanism
"v=spf1 ptr -all" "v=spf1 ptr:otherdomain.com -all"
The "exists" Mechanism
"v=spf1 exists:example.com -all"
The "include" Mechanism
"v=spf1 include:example.com -all" "v=spf1 ?include:example.com -all"
Modifiers
The "redirect" Modifier
"v=spf1 redirect=example.com"
The "exp" Modifier
The exp modifier allows a domain to provide a custom explanation message if a message is rejected.
SPF Lookup Tools
Find out how many lookups your SPF record entails
This tool breaks down SPF lookups and shows how many DNS lookups are used
Verification
dig example.com TXT
Confirm that the SPF record returns exactly as configured.