SPF - An effective tool to fight email spoofing

What is an SPF record?

An SPF (Sender Policy Framework) record helps keep the bad guys from "spoofing" or forging a domain name when sending mail. This is important, because otherwise it's pretty easy for them to make it look like you sent the spam or unwanted mail. In recent years, SPF has become a very valuable spam and phishing fighting tool.

Despite the complex looking syntax, an SPF record is simply a list of pre-approved sources of email for a domain. On the message recipient's end, the mail servers request the official list of pre-approved sources of mail (aka your SPF record). They then check to see if where the message came from is on that list. If it is, then the message is delivered. If the source of the message is not on that list, then the recipient server uses info provided by the SPF record to choose whether it should accept the message or not.

Create the default SPF record for your domain(s)

Default SPF records

By default, all domains added to your cPanel should have an SPF record created for you already. It initially assumes all mail for the domain(s) will be sent by Fused email servers.

If SPF is not enabled for your domains, you can create the records automatically in your cPanel. Go to the Email section, then click the Authentication link. In the Authentication utility, click the Enable button under the SPF Status section.

Be sure you know all of your email sources!

An incorrect or incomplete SPF record is usually far more harmful than no SPF record at all. If you specifically list a legitimate mail source in your SPF record, that source will be treated as suspicious or potentially blocked outright.

When creating you SPF record, it is important to know what servers and/or services send email on behalf of your domain. For a lot of Fused customers, the default SPF configuration of perfectly fine. However, if you use a third party email service (Google Apps—aka G Suite, Office365, etc), or if you use something like MailChimp, constant contact, etc., your SPF record will need to be adjusted. Feel free to contact us for advice and help with getting your SPF record correct.

What does an SPF record look like?

So, what does an SPF record look like? Here is the one for the fuseddemo.com domain:

v=spf1 +a +mx +ip4:69.162.149.25 +include:_spf.fused.com ~all

That batch of seemingly random characters breaks down like this:

  • v=spf1 - the SPF version.
  • +a - the IP returned for fuseddemo.com A Record is allowed.
  • +mx - any IP returned for the fuseddemo.com MX Records is allowed.
  • +ip4:69.162.149.25 - this specific IP is allowed.
  • +include:_spf.fused.com - any IP returned from this
  • ~all - anything else not listed will be considered a soft fail and the recipient server should proceed, but mark the mail as potentially suspicious. If the SPF record ended in -all ('minus' versus 'tilde') anything not listed will be considered a *hard fail and the recipient server should reject the message.