Prevent Email Spoofing | DNS Course

Email SPF Record Setup Tutorial – Sender Policy Framework (SPF)

Author: Emad Zaamout

Sunday, October 17, 2021

Table of Contents

  1. Introduction
  2. What is an SPF Record?
  3. SPF Record – Qualifiers
  4. SPF Record – Mechanism

Introduction

Welcome back,

In this tutorial, were going to cover what SPF records are, why you need them and how to create them.

If you own a domain, its crucial that you set up your SPF record correctly to prevent Email Spoofing or Email Fraud.

If you don’t have an SPF record set up, anyone can send email on your domain behalf.

This can get your domain blacklisted for spam even if you are not sending mail.

This is a DNS course, so you should be comfortable adding DNS records to your Domain such as TXT records.

Before we get started, don’t forget to subscribe to our channel to stay up to date with our latest training videos.

What is an SPF Record?

SPF Stands for Sender Policy Framework – It is a TXT record that you add to your Domain DNS.

It is used by all mail providers such as Gmail and Outlook so that they can detect, and block email spoofing and unauthorized mail sent on your Domains behalf.

SPF record allows you to specify one or more IP addresses or domain names that are allowed to send mail on your domain behalf (i.e., mail “from” your domain).

Your SPF record should list exactly all the servers that are authorized to send mail on your domain behalf and should tell the mail service providers how to handle any mail that is not authorized.

For example, if your using Outlook for your Email Provider, then your SPF record would like something like this: "v=spf1 include:spf.protection.outlook.com -all"

The first part, v=spf1 specifies the spf version; the current SPF version is 1. This is required for all spf records. This line should always be added.

The second part include:spf.protection.outlook.com consists of 2 parts

  1. The "include:" is called Mechanism

  2. The "spf.protection.outlook.com" is called Directive

The last part also consists of 2 parts known as the Qualifier and Directive.

Putting this all together, your SPF record should always look like this.

“v={spf version} {mechanisms}{directive} {qualifiers}all”

We will cover each part in detail, but to give you an idea, what this record is saying that spf.protection.outlook.com is a third-party email vendor and is authorized to send email on our domain behalf. The include part basically copies the SPF record stored inside that url.

The last part is saying all other emails sent not included in our list should fail. Which means the email server provider will report that email as spam.

"v=spf1 include:spf.protection.outlook.com -all"

SPF Record – Qualifiers

So far, we know that your spf record should always look something like this “v=spf1 {mechanisms}{directive} {qualifiers}all”

Your spf record is read right to left.

if an email got sent out using your domain name, you would list all the authorized server IPS that can send emails on your behalf. Otherwise, the last parts tell the Email Service Providers how to handle emails that are not authorized based on the qualifier you use.

There is 4 different types of qualifiers.

The first one is the plus sign. This is the default qualifier. It’s used if you don’t specify a qualifier.

This qualifier means that the email service provider should always accept the email.

I don’t recommend you use this option because you don’t want any unauthorized email using your domain name to be accepted.

The second qualifier is a dash sign. I always recommend you use this qualifier.

This qualifier will tell the email servicer provider to always fail when the email is not a part of your authorized list.

The third qualifier is Tilda. This qualifier tells the email server provider to accept the email but mark it as suspicious. So basically, throw it in the junk folder.

The last qualifier means neither pass nor fail. This qualifier tells the email service provider that your SPF record, says nothing about passing or failing.

I always recommend you use the dash qualifier, to make sure all unauthorized emails are not accepted.

Qualifier Result Code Description

+

Pass

Default if no qualifier specified. Accept the message.

-

Fail

Server matching IP address is unlikely authorized. Accept the message but mark it as suspicious.

~

SoftFail

Server matching IP address is unlikely authorized. Accept the message but mark it as suspicious.

?

Neutral

Neither pass nor fail SPF. Accept. The SPF record does not state whether the Server(s) should be accepted/rejected.

SPF Record – Mechanism

Now the last part in your spf record, is a combination of mechanisms and directives.

This is where you can list as many ip addresses or domain names that you want to authorize.

When an email is sent out on your domain behalf, the email service provider receiving your email will check if the email is authorized by looking in this list.

There is 5 different mechanisms to authorized servers.

You can authorize mail servers by domain name using the letter “a” for the mechanism.

So if you want to authorize any other domain to send email on your domain’s behalf, you would write “a” then colon then your URL name.

The second way you can authorize servers is by another domain MX record. To do that, you write “mx” colon then the domain name where the mx record is stored.

The third way is to authorize by IP4 address or a range of IP4 addresses. This mechanism is straight forward you just write ip4 colon then the ip4 address or range.

The fourth way is to authorize servers by IP6 address or a range of IP6 addresses. Similar to the ip4, you write ip6 colon then the ip6 address or range of ip6 addresses.

The last mechanism you can use is the include. This will basically authorize a third-party email sender.

Mechanism Directive Applies When

1

Authorize mail servers by domain name. Example: autodiscorver.outlook.com

a

Authorize mail servers by domain name. Example: autodiscorver.outlook.com

mx

Authorize one or more mail servers by another domain MX record. For example, if you use Outlook, Gmail, Amazon SES …, You add a mx record to authorize their servers. 10 inbound-smtp.us-east-1.amazonaws.com

ip4

Authorize mail servers by IPv4 address or a address range. Example: ip4:192.168.0.1 or ip4:192.0.2.0/24

ip6

Authorize mail servers by IPv6 address or address range. Example: ip6:3FFE:0000:0000:0001:0200:F8FF:FE75:50DF or ip6:2001:db8:1234::/48

include

Authorize 3rd party email senders by domain. Example: include:spf.protection.outlook.com

Other Posts

GIT Crash Course using Bitbucket By Emad Zaamout

Saturday October 24, 2021

Git Tutorial - Git Crash Course using BitBucket

Author: Emad Zaamout
What is AWS Elastic Load Balancer By Emad Zaamout

Monday October 18, 2021

AWS Elastic Load Balancing

Author: Emad Zaamout
DMARC SPF DKIM Course By Emad Zaamout

Saturday October 16, 2021

Email DNS Master Course - SPF + DKIM + DMARC

Author: Emad Zaamout
Email SPF Record Tutorial – Sender Policy Framework (SPF) | Prevent Email Spoofing | DNS Course By Emad Zaamout

Saturday October 16, 2021

Email SPF Record Tutorial – Sender Policy Framework (SPF) | Prevent Email Spoofing | DNS Course

Author: Emad Zaamout
DMARC Tutorial - How to set up DNS DMARC record | Protect Your Doman By Emad Zaamout

Saturday October 16, 2021

DMARC Tutorial - How to set up DNS DMARC record | Protect Your Doman

Author: Emad Zaamout
Git Hooks Crash Course

Sunday, September, 2021 (MDT)

Git Hooks Crash Course

Author: Emad Zaamout
Laravel CI\CD using AWS RDS EC2 S3 CodeDeploy BitBucket By Emad Zaamout

Friday, September 17, 2021 (MDT)

Laravel DevOps Tutorial - Laravel Deployment Automation CI\CD using AWS RDS EC2 S3 CodeDeploy BitBucket

Author: Emad Zaamout
Deploy any Laravel app in AWS (Amazon Web Services) By Emad Zaamout

Monday, April 19, 2021 (MDT)

Deploy any Laravel App in AWS (Amazon Web Services)

Author: Emad Zaamout
Fisher Yates Shuffle Algorithm Implementation? By Emad Zaamout

Saturday, September 26, 2020 (MDT)

Find out the secrets, tips and tricks to ranking number 1 on Google.

Author: Emad Zaamout
Fisher Yates Shuffle Algorithm Implementation? By Emad Zaamout

Saturday, September 26, 2020 (MDT)

Fisher - Yates Shuffle Algorithm Implementation

Author: Emad Zaamout
What Is an Ecommerce Website & How to Get Started (2020 guide)? By Emad Zaamout

Saturday, September 26, 2020 (MDT)

What Is an Ecommerce Website & How to Get Started (2020 guide)?

Author: Emad Zaamout
5 Reasons Why You Need A Website Calgary Website Design Company AHT Cloud

Thursday, May 7, 2020

5 Reasons Why You Need A Website

Author: Emad Zaamout
Whats Involved in Creating a Unique Custom Website? By Emad Zaamout

Thursday, May 7, 2020

Whats Involved in Creating a Unique Custom Website?

Author: Emad Zaamout
SEO Checklist By Emad Zaamout

Thursday, May 7, 2020

SEO CHECKLIST

Author: Emad Zaamout

GET YOUR FREE ESTIMATE

CONTACT US TODAY FOR YOUR FREE CONSULTATION!


Contact us today to discuss your goals and we will create a simple roadmap to get you there. We look forward to speaking with you!

Main Office

Phone:   1 587-834-6567
Email:   support@ahtcloud.com
32 Westwinds Crescent NE #130
Calgary, AB T3J 5L3, CA


Products

TMS
Cloud Based Transportation Management System


https://www.ahttms.com
https://www.cloud.ahttms.com

Hours Of Operation

Monday 8:00 am - 5:00 pm
Tuesday 8:00 am - 5:00 pm
Wednesday 8:00 am - 5:00 pm
Thursday 8:00 am - 5:00 pm
Friday 8:00 am - 5:00 pm
Saturday Closed
Sunday Closed