Blog of Raivo Laanemets

Software development and personal stories.

SPF records

On 2014-02-28

SPF (Sender Policy Framework) records are DNS records that help to validate email senders. They are supposed to cut down spam by identifying spoofed From and Reply-To headers. With SPF, when you receive a mail from someone@example.com, you can check whether the sender's mail server is allowed to send mail for the example.com domain or not. This SPF check is completely optional on the receiver mail server. Some large mail providers (GMail) have implemented SPF and would (sometimes) reject the message when SPF is not configured for the domain. For example, Google can reject mail with the reply:

Recipient address rejected: Spf check: fail

I run my own mail server on a VPS and got hit with this problem. Adding an SPF record is not hard. The hard part is figuring out the right configuration. The syntax is described here. I have chosen the following configuration:

v=spf1 a -all

This means:

  • a - everything in A or AAAA records (these are IP addresses) can send mail.
  • -all - everything else can't send mail.

I have added it as a TXT record because my zone provider (Linode) does not support adding SPF records directly. Using a TXT record works. You can check out my record on infdot.com by using the dig utility (Linux and OSX):

$ dig infdot.com txt

; <<>> DiG 9.9.3-P2 <<>> infdot.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22621
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;infdot.com.                    IN      TXT

;; ANSWER SECTION:
infdot.com.             21596   IN      TXT     "v=spf1 a -all"

;; Query time: 53 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Feb 28 10:02:49 EET 2014
;; MSG SIZE  rcvd: 65

This configuration works for me because all my outgoing mail comes from a single machine. This configuration will NOT work for mail redirection (unless the actual sending machine is listed in the A records). This does NOT work when you send mail from your personal machine using a desktop mail client like Thunderbird or KMail (same condition). For redirecting and desktop clients you need an SRS (Sender Rewriting Scheme) support on your mail server.

You can test your mail server/provider by sending a mail to spf-test@openspf.net (described here). Currently it seems to be down.