Preventing phishing, spoofing, and scam attacks is a top priority for companies, especially those with a complicated email infrastructure. The involvement of a third-party vendor or outsourced email service provider makes deploying SPF, DKIM, and DMARC challenging.
Here are the top questions asked by people-
What is SPF and SPF Record?
SPF is an email authentication protocol that allows you to list IP addresses (belonging to the ipv4 and ipv6 range) and email servers that can officially send messages on behalf of your company. An SPF record comprises syntax (mechanisms, modifiers, and qualifiers) and instructions for recipients’ mailboxes on handling emails that fail SPF authentication checks.
Example of an SPF Record
v=spf1 ip4:167.41.100.1 -al
This SPF record example instructs to reject the entry of unauthorized emails.
How Does SPF Authentication Work?
A recipient’s mail server checks the return-path address to see if the sending domain holds a valid SPF record and if the sender’s IP address (ip4 and ip6 range) is listed in it. If yes, SPF authentication passes, and the message lands in the primary inbox. If not, the failed email is either marked as spam or gets rejected.
What are SPF Lookups?
SPF lookup is the exercise performed by making a DNS query to verify whether the sender’s IP address or SMTP server is part of the corresponding SPF TXT record. If it isn’t a part of it, the sender is identified as malicious, and the message doesn’t get placed in the primary inbox of the recipient.
How is SPF DNS Lookup Performed?
This drill is conducted in 6 steps-
1. Email Reception
The recipient’s mail server receives an email and identifies the domain in the “From” address.
2. Domain Extraction
The server extracts the domain and retrieves the SPF record from the domain’s DNS TXT records.
3. Parsing SPF Record
The SPF record is examined to find authorized IP addresses of legitimate sending servers for the domain.
4. Comparing Sender’s IP
The sender’s IP address is checked against authorized servers. A match results in passing the SPF check.
5. Decision Making
The mail server accepts, rejects, or flags the email based on the check. This influences inbox/spam placement.
6. Feedback
SPF allows domain owners to define recipient server actions for failed validation, like tagging or rejecting emails.
What is the Role of an SPF Record Checker?
An SPF record checker (also called SPF validator) is a tool that diagnoses your SPF DNS record against the following to ensure there are no errors.
- Existence of an SPF TXT record for the queried domain name.
- Presence of multiple SPF records for one domain.
- Exceeding the SPF lookup limit of 10.
- Exceeding the void lookup limit of 2.
- Typos and configuration issues.
- Use of ptr, a, and mx mechanisms.
- Use of unnecessary ‘include’ statements.
- Syntax problems.
Image sourced from norton.com
How to Avoid SPF Errors?
The following practice keeps problems at bay for your SPF records-
- Include sending sources of third-party vendors who also send emails on behalf of your business.
- Use either ~all (softfail) or -all (hardfail) mechanism. Using +all or ?all is highly discouraged.
- Avoid using the redirect= mechanism, as it doesn’t let you add other sending sources.
- Use DKIM and DMARC to prevent phishing attacks and enhance email delivery.
How to Fix DNS Lookups Permerror?
If you come across the SPF lookup error during an SPF record check exercise, then you need to fix it by taking care of the following:
- Remove unnecessary include mechanisms.
- Use the IP4 and IP6 ranges only.
- Remove mechanisms with duplicate functionality.
- Eliminate the “ptr” mechanism.
If this doesn’t sort the issue, you can try getting in touch with AutoSPF where we offer SPF flattening services. It helps domain owners by compressing the queried record to stay within the limit of DNS lookups.