Sender Policy Framework or SPF record is a type of email authentication strategy that identifies whether the emails that proclaim to be sent from an IP address are actually approved by the administrators of that domain. The record is in the form of DNS TXT which contains the list of authorized email servers that can send an email on the behalf of your domain name. SPF records defend your domain by preventing spammers from sending messages with bogus From: addresses attached to your domain.
SPF records are defined using the TXT record type. An SPF record is usually defined as a single string of text. Usually, the SPF record starts with v= element is the one which indicates the SPF version that is being used. The most common SPF version in use is spf1 since it is easily understood by most email exchanges.
v=spf1 a mx ip4:69.64.153.131 include:_spf.google.com ~all
The version indicators are followed up with terms that are made up of modifiers and mechanisms. The terms define rules set for which hosts can send mail from the domain as well as these provide additional information for processing the SPF record.
The defined mechanism includes:
All: Policy for ‘all the other sources’ can be set using the ‘all’ mechanism. This should be placed at the end of your SPF record while providing a ‘default’ for other sources. You should use a qualifier for defining the policy that has to be applied.
a: Defines a record of the current or specified domain as an authentic sending source.
Include: Only a single SPF record is allowed for a domain but with the “include” mechanism, multiple domains can be listed within that single record)
ip4: Defines the ip4 address
ip6: Defines the ip6 address
mx: Defines the DNS MX record for the current or specified domain as an authentic sending source.
Exists: This mechanism checks the existence of A record for a domain. In order to handle a match, these mechanisms may specify qualifiers including:
+ for pass,
– for fail,
~ for soft fail,
? for neutral
The defined modifiers include:
exp: The ‘exp’ modifier is used for providing an explanation in case ‘–‘qualifier is present on a mechanism that is matched.
redirect: This modifier is used when the organization has multiple domains and wants to apply the same SPF content across multiple domains. SPF records must limit the number of mechanisms and modifiers requiring DNS lookups to 10 per SPF check. In order to exceed the maximum number in a single SPF record, you are required to send some of the messages from subdomains beneath your naked domain.
SPF record serves as an extra security layer when implemented along with DMARC and DKIM, which reduces backscatter bounces and email error notifications. It ensures that emails are secured against any type of spoofing practice and are delivered without any trouble.
KDMARC analyses your organization’s SPF record and ensures that the report helps the experts present within your organization to place the record accordingly for the organization. With KDMARC your organization can stay away from the sources that are trying to forge their domain names.
KDMARC comes with the most innovative and beneficial features like: