SPF Records

The fastest and easiest way to improve email delivery and prevent sender address forgery is to use a DNS TXT record to publish who is allowed to send emails and from which server the emails are allowed to originate.  This is the Sender Policy Framework, or SPF.

The receiving email server uses this record to determine whether an email was sent from an allowed source.  This check will decrease the "blowback" of failed-email notifications that a domain owner receives when the "from" address field has been forged by a spammer.

Example SPF Record

The DNS TXT records for this website can be identified using the command:

# dig jaroker.com TXT

This gives the result:

v=spf1 +include:websitewelcome.com +ip4:184.172.176.32 +a -all

The modifiers "+" means "allow" and "-" means fail the email validation.  For my domain, I want to allow email from all DNS A records.  For example, the website http://qa.jaroker.com is a staging environment that mirrors this public website.  The "qa" server be should be able to send test emails.

The "+ip4" and "+include" directives are specific to hostgator.com, the provider of a shared server I use for some purposes such as email.  The "websitewelcome.com" domain is hostgator's mail relay through which their emails are sent.  If I didn't include websitewelcome.com in the SPF record, the SPF framework would prevent my emails from being sent via my hostgator account.

SPF records are evaluated from left to right.  To minimize delays, I put the most-likely origination servers first.

Special Consideration for Blackberry Devices

Some of my messages are sent via Blackberry and one would think to add Blackberry's email servers to the SPF record.  Many online blogs recommend doing this, but it is unnecessary because Blackberry sends email from their own SMTP email servers.

If you look at the header of a Blackberry message, you will see that Blackberry has masked the sender's email in the message's "From" field.  SPF only checks this "MAIL FROM" field to validate the message.

The Blackberry phone unmasks the From field to show the correct email address of the sender.  Even more clever is Blackberry's synchronization of this sent email to the "Sent" folder on the sender's IMAP email server.

Blackberry's approach allows it to use its own SPF record, eliminating the need for me to add Blackberry's email servers to my own SPF record.

External Resources

Sender Policy Framework Project Home
Open source project defining the SPF framework.
DMARC Group and Specifications
Official website behind the DMARC specification
September 26th, 2012 Posted by Jon Jaroker Filed in: Domain TXT Records

Be the first to comment. Leave a comment

Your email address will not be published. Required fields are marked *