Sender Policy Framework (SPF)
SPF (Sender Policy Framework) is an E-Mail domain authentication method, designed to protect E-Mail sender domains (RFC5321.MailFrom) from forgery (spoofing). SPF is defined as a "proposed standard" in RFC 7208. SPF is required for DMARC and it's the base for SenderID.
Functionality
An SPF record is a [DNS] TXT record that defines which IPs are allowed to send with the domain in question. An example of a very simple SPF record is:
example.com descriptive text "v=spf1 ip4:1.2.3.4 ip4:4.3.2.0/24 -all"
In this example, the domain "example.com" is strictly and only allowed to send from IP 1.2.3.4 or from the CIDR network 4.3.2.0/24 (4.3.2.1 - 4.3.2.254). This example-record consists of 3 parts:
- Version (v=spf1)
- Method (ip4:1.2.3.4 ip4:4.3.2.0/24)
- Policy qualifier (-all)
Version
Since SenderID is deprecated, there is only one SPF version: spf1.
Method
SPF offers 8 mechanisms. The following 6 are the most important:
| Switch | Example | Description |
|---|---|---|
| IP4 | ip4:4.3.2.0/24 |
Includes IPv4 addresses. |
| IP6 | ip6:2001:db8:a::123/64 |
Includes IPv6 addresses. |
| INCLUDE | include:subdomain.example.com |
Include the results of the SPF record of another domain. |
| A | A |
Matches the domain's A-record. |
| MX | MX |
Matches all IPs in the domain's MX-record. |
| PTR | PTR |
Matches only if the reverse DNS (PTR) for the client's address is in the domain in question and the PTR record resolves back to the domain's A or AAAA record. Should be avoided! |
Policy qualifier
The policy qualifier defines what to do when all previous methods fail. The following qualifiers are available:
| Switch | Name |
|---|---|
| +all | PASS |
| ?all | NEUTRAL |
| ~all | SOFTFAIL |
| -all | FAIL |
Forwarding an E-Mail with the RFC5321.MailFrom unchanged, but from a different IP, breaks SPF authentication. For this reason ~all is sometimes preferred over -all.
Alignment
Main article: Alignment