The SPF(Sender Policy Framework) record is a TXT record that defines which domain name is authorized to send emails from the server. Its primary purpose is to limit email spoofing, and it most effective when combined with a DMARC record. An example of an SPF record is the following:
v=spf1 +mx +a +ip4:123.123.123.123 ~all
Let's decipher the string, symbol by symbol, and explain what it means.
- v - This states the version of the SPF record used. The version should always be spf1, as mail exchangers widely recognize this.
- + - This is an attribute, and it stands for "pass all".
- mx - This is a mechanism defined within the record. It enables the mail server to perform a check on the domain's MX record and make sure it matches the sender's IP.
- a - This is another mechanism defined within the SPF. It enables the mail server to perform a check on the domain's A record and make sure it is the same as the sender's IP.
- ip4:<IP> - This is analogical to the above two, however, in this case, the mail server cross-references the domain's IP address defined after the "ip4:" mechanism with the sender's IP address.
- ~ - This is another attribute which stands for "soft fail". This attribute means that the sender will fail SPF verification, however, the email will not be blocked, and instead, it is going to be flagged as spam.
- all - This mechanism will match all other addresses that are not defined in the previous mechanism.
Let's explain what the above record will do, should an email be sent from the domain name that utilizes it.
First, the email server will do an MX record lookup. If it matches the server's IP address, it will proceed further. This process will carry on until all of the mechanisms are checked. Finally, the "~all" mechanism will cause all the senders whose IP addresses did not match with the IP addresses defined inside the mechanisms to fail SPF verification. In our case, as the "~" attribute or "soft fail" is used, if a sender fails SPF verification, all the messages he sends are going to land in the spam folder. If the "-" attribute is used meaning "for fail", the message will not be delivered at all.