SPF Syntax
The format of an SPF record is as follows:
v=spf1 [mechanisms] [qualifiers]Each of the mechanisms are discussed below.
v=spf1
The v=spf1 tag indicates the version and the protocol of the SPF record. There is only one version of SPF, and the protocol is always spf1.
Mechanisms
The mechanisms are the rules that define how to match the sender's IP address or host with the SPF policy. There are several types of mechanisms:
| Tag | Description |
|---|---|
| a | Matches the sender's IP address with the domain's A or AAAA records. |
| mx | Matches the sender's IP address with the domain's MX records. |
| ip4 | Matches the sender's IPv4 address with a specific range. |
| ip6 | Matches the sender's IPv6 address with a specific range. |
| include | Includes the SPF policy of another domain. |
Qualifiers
The qualifiers are the actions that indicate how the receiver should handle the emails that match or do not match the mechanisms. There are four types of qualifiers:
| Tag | Description |
|---|---|
| + | Pass, the email is accepted (NOT RECOMMENDED). |
| ? | Neutral, the email is neither accepted nor rejected (NOT RECOMMENDED). |
| - | Fail, the email is rejected. |
| ~ | Softfail, the email is accepted but marked as suspicious. |
Choosing the Right SPF Qualifier
The choice of SPF qualifier depends on the domain owner's preference and risk tolerance. Generally, it is recommended to use the Hard Fail (-) qualifier for domains that send critical or sensitive emails, such as financial or legal services. This way, the domain owner can ensure that only authorized servers can send email on their behalf, and that any spoofed emails are rejected by the recipient server. However, the domain owner should also make sure that their SPF record is accurate and up-to-date, and that they include all the legitimate sources of email for their domain, such as web hosts, email providers, third-party services, etc. Otherwise, they may risk losing some valid emails that fail the SPF check.
On the other hand, the Soft Fail (~) qualifier may be a good option for domains that send less critical or less sensitive emails, such as newsletters, marketing, or social media. This way, the domain owner can still indicate their preference for authorized servers, but also allow some flexibility for the recipient server to decide how to handle the email. This can reduce the chances of losing valid emails that fail the SPF check, but it can also increase the chances of receiving spoofed emails that pass the SPF check.
The Neutral (?) and Allow all (+) qualifiers are not recommended for any domain, as they do not provide any benefit or protection against email spoofing and phishing attacks. They essentially disable the SPF mechanism and allow any server to send email on behalf of the domain. This can harm the domain's reputation and deliverability, as well as expose the domain's users to malicious emails.
Example
An example of a simple SPF record is:
v=spf1 mx -allThis means that only the IP addresses that correspond to the domain's MX records are allowed to send emails on behalf of the domain, and any other IP address is rejected.
Related Topics
- What is SPF? - Introduction to SPF and its purpose
- How Does SPF Work? - Technical details about SPF operation
- Why is SPF Important? - Benefits and significance of SPF
- Limitations of SPF - Current constraints and challenges
- SPF Redirect - Using the redirect modifier
- SPF Settings - Configure SPF Settings