Should all domians have an SPF record

vmich
vmich used Ask the Experts™
on
I noticed that some of our  domains have SPF records and some do not. My question is should all of our domains have SPF records?
I think the answer would be yes so that spammers cant spoof any of our domains correct weather they are email domains or website domains?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Omar NahhasSolutions Expert (Azure and Infrastructure Architect) / Microsoft & Rapidus (Managed Service)

Commented:
Actually you need an SPF for the domain you are sending emails from, the SPF record is used for your emails not to be marked as a spam, to protect the websites you need WAF or firewall have the same functionality.
Joseph HornseyPresident and Janitor

Commented:
SPF records should still be set up on all domains that are used for email.

There's some debate whether or not SPF records are still necessary as everyone "should" be implementing DKIM.  The reality is that SPF is still out there and a lot of mail servers expect to see it.

Also, I've heard people talk about how SPF records have been deprecated.  However, from what I understand, this only refers to the specific DNS record type... only the DNS 'SPF' record type has been deprecated (DNS type 99) and SPF records should only exist as TXT (DNS type 16) records.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
All domains you use as a Public mail source do need an SPF (nowadays).
Any mail you handle internally you can setup for yourself to be accepted.

As soon as mail has to be handled outside of your control and you want to get it accepted then you need SPF.
(And all systems that can be the SOURCE of such mail need to mentioned in the SPF record).

example:

www.example.com    is a web server that send mail on behalf of example.net
xyz.example.com     is a backend server that send mail on behalf of example.net
mail.example.com   is your mail server sending mail for exmaple.com & example.net
mx.example.com is you receiving mail server...

Then the SPF of example.net needs the server that handled www.example.com, xyz.example.com and mail.exampe.com  need to be mention with all IPs they use.
the example.com SPF record needs to mention the mail.example.com ip address.

(mx.example.com   also needed to be mentioned as it can be the source of non delivery messages. )
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Dr. KlahnPrincipal Software Engineer

Commented:
I think the answer would be yes so that spammers cant spoof any of our domains

The answer is indeed "yes", per noci's comment above.  However, do be aware that quite often this does not prevent spammers from spoofing email originating at your domains.

SPF is infrequently to not-at-all enforced by receiving MTAs, and they are the ones which must enforce it.  Strict enforcement of SPF causes unwanted rejections which are unlikely to be solved by the sending MTA's postmaster seeing a bounce and correcting the SPF.  Therefore, the usual handling of bad SPF is to pass the email through anyway, perhaps with a warning line in the header block -- which nobody sees without enabling verbose headers in their email reader.

So spam purporting to come from your domain will probably go through most of the time anyway.
David FavorFractional CTO
Distinguished Expert 2018
Commented:
1) I noticed that some of our domains have SPF records and some do not. My question is should all of our domains have SPF records?

Yes.

Even if you don't send email from the domain, setup an SPF record to block spammers sending messages forged with addresses on your domains.

2) I think the answer would be yes so that spammers cant spoof any of our domains correct weather they are email domains or website domains?

Correct.

3) Also, if you really are sending email from domains + require high deliverability, then also setup DKIM signing.

4) Also, setup a DMARC record to track valid + spam email being sent on behalf of your domain.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
About DMARC. Always start with a report only record, till you have everything working...

Something like this...

_dmarc.your-domain.com.	600	IN	TXT	"v=DMARC1; p=none; sp=none; fo=1; adkim=s; aspf=s; pct=100; rf=afrf; ri=86400; ruf=mailto:dmarc@your-domain.com; rua=mailto:dmarc@your-domain.com;"

Open in new window


The above record lists all defaults, so they're easier to change in the future.

Report only is enabled by...

p=none; sp=none;

Open in new window

Well, technically email can function without any SPF record at all, however some recipient mails systems may refuse to accept emails from such a domain. More frequently it will just be regarded with suspicion, by some "points based" antispam algorithm. Also, a domain with no SPF is MUCH more likely to be spoofed, which can be annoying.

I would strongly recommend that any domain have an SPF record in place. For a domain that will not be used to send email, just have an SPF record of "v=spf1  -all", meaning no IP sends email.  Really simple.
Riaz Alexander AnsaryEnterprise Infrastructure Systems Engineer

Commented:
SPF records are to allow third party mail servers aside from  your exchange organization to use your domains to send messages. I personally have established strict policy to allow any spf records added in our exchange organizations domains becasue if you for example allow marketing team to use a third party application to send out mass emails on behalf of your domains, there is a high chance  your domain spam score goes high and other parties  messaging gateways stop the message as spam. the only SPF records i have in in our domains are the IP addresses of our messaging security gateway which we have proofpoint agents for that.
so NO you only need spf records to allow other smtp services to send messages on behalf of your domain. unless that is needed like in our case which is our proofpoint gateway you do not need to add spf records for all your domains.
Software Engineer
Distinguished Expert 2018
Commented:
For SMTP there is no need for any SPF, DKIM, DMARC....
Due to some weakness in the SMTP protocol people could start sending mail without clear origin of any message
this happened on such a huge scale  (now known as SPAM...)
80+% of mail doesn;t get delivered due to spam filtering.
To get better responsibility a valid sender can be "authorized" using SPF records.
It still requires the receiving end to validate if the sender is legitimate.
Some for DKIM btw.  With DKIM a public key cryptographic signature can make the reciever even better distingish between valid & invalid senders.
As only the correct sender can know the secret part that generates the signature.
(Many receivers give a penalty on the spamcheck when those are missing...)

This doesn't give any feedback or control to a sender, this is where DMARC kicks in. DMARC allows reporting of receivers of mail from "your domain" and report to YOU how many spam and how many ham was received. It also allows a sender to tell the receivers how a mail from an invalid mail sender should be considered:  neutral, or just as a bad message.
This still makes the receiver responsible to follow your wishes.
BTW this is mailer agnostic in principle, just not every one follows the guidelines though, although more and more organisations are using & validating SPF, DKIM & DMARC.
The last 2 years is gained enough traction to actually become useful.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial