The Subtle But Powerful SPF Record

By: Chris Lewis

I lightly addressed this issue last month but many asked for a better description of the SPF authentication method, so here it is.  Setting up a new SMTP server is pretty easy, especially if you are using an IIS SMTP server.  Many have set up SMTP servers on Webservers just so that when someone fills out a webform that this information is emailed to you. What can happen though is that even though the email is sent to your SMTP server, it never makes it to your Inbox.  The emails seem simple enough and could not even come close to SPAM, so what is the problem?  The problem is usually it is that YOUR email provider (the receiving system of email), like Gmail, that is dumping those emails because it could not authenticate the domain part of the email.  If you don't have an SPF record setup for your domain in DNS, it is possible that 90% of your emails will never make it to recipients and you will never know it because it is not considered a bounce!

Here is what is happening:

- You send an email with your email client, mass mailer, or website form to your sparkling new SMTP server
- Your SMTP server happily sends the email off to the destination SMTP server
- The destination SMTP server sees your email is coming from something@yourdomain.com and before accepting the emails asks the DNS system for the SPF record for the yourdomain.com domain
- If the SPF record does not exist on your DNS, the destination SMTP server is going to consider your SMTP server as not authorized to send on behalf of yourdomain.com and will reject the email
- If the SPF record is found for yourdomain.com, the IP address in the SPF record is compared to that of your SMTP server that is attempting to deliver the email.  If they match, the email is accepted. If not, the email is rejected.

So, if you are setting up an SMTP server to send one email a day or 1 million, you need to have an SPF record in your DNS server for the domain you are sending from.

SPF is just one of the ways email messages are authenticated as being legitimate senders for the domain. The advantage the SPF method has over other authentication methods is that the SPF record is easy to enter into the DNS, the email message is not modified as in the DKIM method, and it is basically a perfect way to stop SPAM.  The disadvantages of this method is that every email addresses domain you have needs to have an SPF record, so if you are sending emails on behalf of others, there is a lot to manage.

SPF, DKIM, and other email authentication methods are many times used in combination with one other.  Most of the time these methods are used in SPAM scoring, and though an email's successful delivery is not absolutely based on the presence of these SPF records, it adds a TON of good SPAM scoring points to the equation.  Below is a simple example of a SPF record entry in a DNS system.  This can be added in the TXT section of the DNS record. 

For HOST: normally use the @ sign which means use the domain name for the DNS entry.

For TXT: v=spf1 a ip4:XXX.XXX.XXX.XXX ip4:XXX.XXX.XXX.XXX include:yourdomain.com ~all

Change the XXX IP addresses to the IP addresses your SMTP server using to send.

Obviously this SPF record could have a lot of different variations on formatting, but this will give you an example of a simple format and shows you just how easy it is to set this record up.  I hope this helps your deliver-ability!