Explanation of SPF records. And should I have one?

Andrew DavisManager
SPF = Sender Policy Framework. This is basically a file that can be published with you DNS (Domain Name Service) records, These are the records on the internet that tell everyone else who YourDomain.com.au is. (eg. When an email is sent to someone@yourdomain.com.au the sending server needs to lookup the IP address for the mail server for yourdomain.com.au to know where to send it : -This is the MX record, or for the www.yourdomain.com.au it needs to find the A record to know what web server to look for the website. etc...)

With an SPF record It finds all the available servers that might be trying to send email for that domain. Now bear in mind 90% of domains do NOT publish an SPF.

Why don't we publish SPF? Simple. When we send email out of our server it goes to our ISP First, then their servers send it on to the final destination, so for us to publish an SPF we would have to know the Addresses of all our ISP’s servers and changes, and keep updating.

Why don’t we just send straight from our server? Good reason. Even though we have a STATIC IP (always the same), it is not a true static IP; it is simply a dynamic one that has been reserved for our use by our ISP. To get a true static IP we have to apply to APNIC (Governing body) to be allocated, and then we must setup routes with our ISP..... Obviously only large companies do this. We could just bypass this and publish out with our existing “ISP Static” IP address; however a lot of spam servers will reject messages that don’t come from a registered Static IP address, and some ISPs block messages from bypassing their email servers to try to stop spammers from sitting on their network and sending out bulk messages.

Is it a problem having “NO” SPF record? Not really. As we don’t have a SPF record, it simply means that every message that we send cannot be validated as not spam by simply checking our SPF record. This does make at little easier for a spammer to fake an email so that it looks like it came from us, as we do not say which IPs are allowed to send email on behalf of yourdomain.com.au.

Is it good to have a “CORRECT” SPF? Absolutely. With a correct SPF spam filters simply look at our SPF record and then look at the originating IP address of the message, If all things match then it will pass the message as likely good.

How bad is it to have an “INCORRECT” SPF? Really bad. With an incorrect SPF, spam filters will instantly assume the message is unauthorized and treat it as likely SPAM. It is like saying here is my phone number and unless I call you from this number please treat everything I say as not coming from me..... and then changing phone number without letting anyone know.

Hope this helps. It is a simplistic explanation and does not hold true for larger organisations that would certainly want to have an SPF, and who go to the expense and effort of having a true Static IP. If you fall into this category then you shouldnt be reading this anyway as you would not need SPF explained. If you do require SPF explained then you either fall into the category of organization that doesn't require an SPF (unless you want to continually manage it), or you do work for a large organisation (Global with thousands of outbound emails daily) and are a little out of your depth, in which case i would suggest you locate a specialist to assist you with your outbound email system.

Andrew Davis
andrew [at] andlin.com.au

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.