WTF are SPF?

SPF records detail which servers are allowed to send mail for your domain. You're supposed to be listing the addresses of all the servers that are authorised to send mail coming from your domain. If you don't have an exhaustive list at this time, it's generally not a good idea to set up an SPF record. Also a domain can only have one SPF record, so you'll need to combine all the information into a single record.

The individual questions really just help break the list down for you.

  1. asks you for other domains whose mail servers may relay mail from you; if you have eg a secondary MX server at mail-relay.example.org, and that is the main mail server (MX record) for the domain example.org, then you should enter mx:example.org. Your SPF record should include your own domain's MX record under nearly all circumstances (mx).
  2. asks you for your ip netblocks. If you have colocated servers at 1.2.3.0/28, and your office address space is 6.7.8.0/22, enter ip4:1.2.3.0/28 ip4:6.7.8.0/22. IPv6 space should be added as eg ip6:2a01:9900:0:4::/64.
  3. if (eg) you also have a machine off in someone else's office that has to be allowed to send mail from your domain, enter that as well, with eg a:mail.remote.example.com.

Your mobile phone users are problematic. If they send email by connecting to your mail server using eg SMTP AUTH, and sending through that server, then you've dealt with them by listing the mail server's address in (2). If they send email by just connecting to whatever mail server the 3G/HSDPA provider's offering, then you can't do SPF meaningfully until you have rearchitected your email infrastructure so that you do control every point from which email purporting to be from you hits the internet.

Question 4 is a bit different, and asks what recipients should do with email that claims to be from your domain that doesn't come from one of the systems listed above. There are several legal responses, but the only interesting ones are ~all (soft fail) and -all (hard fail). ?all (no answer) is as useless as ~all (qv), and +all is an abomination.

~all is the simple choice; it tells people that you've listed a bunch of systems who are authorized to send mail from you, but that you're not committing to that list being exhaustive, so mail from your domain coming from other systems might still be legal. I urge you not to do that. Not only does it make SPF completely pointless, but some mail admins on SF deliberately configure their SPF receivers to treat ~all as the badge of a spammer. If you're not going to do -all, don't bother with SPF at all.

-all is the useful choice; it tells people that you've listed the systems that are allowed to send email from you, and that no other system is authorized to do so, so they are OK to reject emails from systems not listed in your SPF record. This is the point of SPF, but you have to be sure that you have listed all the hosts that are authorized to originate or relay mail from you before you activate it.

Google is known to advise that

Publishing an SPF record that uses -all instead of ~all may result in delivery problems.

well, yes, it may; that is the whole point of SPF. We cannot know for sure why google gives this advice, but I strongly suspect that it's to prevent sysadmins who don't know exactly whence their email originates from causing themselves delivery problems. If you don't know where all your email comes from, don't use SPF. If you're going use SPF, list all the places it comes from, and tell the world you're confident in that list, with -all.

Note that none of this is binding on a recipient's server; the fact that you advertise an SPF record in no way obliges anyone else to honour it. It is up to the admins of any given mail server what email they choose to accept or reject. What I think SPF does do is allow you to disclaim any further responsibility for email that claimed to be from your domain, but wasn't. Any mail admin coming to you complaining that your domain is sending them spam when they haven't bothered to check the SPF record you advertise that would have told them that the email should be rejected can fairly be sent away with a flea in their ear.

June 19 2020

Add or review comments

Please leave your comment

Existing comments

Comments 0


Get notified about new publications and product updates.
Please note we do not share information to anyone.