SPF RFC Summary
This is my short summary of the SPF RFC. This can be a quick reference or a starting point for anyone interested in knowing more about the protocol. I would recommend reading the full RFC document. With that said, let’s get into the summary.
What?
A protocol to let domain owners specify hosts that can use the domain name for sending emails.
SPF Records
- SPF records are DNS TXT records which specify the list of hosts allowed to send email using this domain name.
- All SPF records should begin with
v=spf1 - You can only have one record for a domain, if more than one record starting with
v=spf1is present, all such records are rejected.
Mechanisms
There are two types of mechanisms:
-
Basic Mechanisms These are a part of the language and do not specify any authorisation scheme. -
all-include -
Designated Sender Mechanisms These are used to identify a set of ip addresses which are allowed to use the domain name for sending emails. -
a-mx-ptr-ip4-ip6-exists
All mechanisms are evaluated from left to right and if there are no more mechanisms left, a default result is returned.
When a mechanism is evaluated, one of three things can happen: it can match, not match, or return an exception.
- If it matches, processing ends and the qualifier value is returned as the result of that record.
- If it does not match, processing continues with the next mechanism.
- If it returns an exception, mechanism processing ends and the exception value is returned.
Each mechanism can have a qualifier which tells how the receiver how to match the record. The possible qualifiers are:
| Qualifier | Meaning |
|---|---|
+ |
pass |
- |
fail |
~ |
softfail |
? |
neutral |
This table below explains the mechanisms in detail:
| Mechanism | Description | Example Value |
|---|---|---|
all |
The all mechanism is a test that always matches.It is used as the rightmost mechanism in a record to provide an explicit default.Any mechanism after all will not be evaluated |
v=spf1 -all will cause all evaluations to return failv1=spf +all will cause all evaluations to return pass |
include |
include is used to cause a redirect of evaluation to some other domain. |
v=spf1 include:example.com for any domain would trigger the evaluation of the SPF record of example.com |
a |
This will return a match if any one the listed IPs is the source IP of the email. It includes both IPv4 and IPv6. | v=spf1 a:2.2.2.2 will allow mails from 2.2.2.2 |
mx |
This will return a match if the MX lookup of the domain given in the mechanism matches with the source IP of the email. | v=spf1 mx:example.com |
ptr |
DO NOT USE | |
ip4 |
Used to specify a IPv4 network in the CIDR notation. It will match if the source IP is a part of the network | v=spf1 ip4:127.0.0.1/23 |
ip6 |
Used to specify a IPv6 network in the CIDR notation.It will match if the source IP is a part of the network | v=spf1 2404:6800:4007:815::200e/110 |
exists |
It is used to construct domain names using parts of the email that is evaluated.Supports macros. |
Modifiers
- Modifiers are name/value pairs that provide additional information.
- They always have an “=” separating the name and the value.
- Ordering of these two modifiers does not matter.
- These modifiers must not appear in a record more than once each.
| Modifier | Description |
|---|---|
redirect |
Used to redirect the evaluation to another domain. If all mechanism is present, this will be ignored |
exp |
Can be used to return an error message if a fail result occurs. Supports macros |
DNS Lookups
- 10 is the maximum number of DNS lookups that can happen when processing a record. So, make sure that
include,mx,redirectmechanisms don’t cause more than 10 lookups
Macros
Macros are supported in exists and exp field and allow us to refer to objects in the email.
| Macros | Description |
|---|---|
s |
Sender |
l |
Local-part of sender |
o |
Domain of sender |
d |
Domain |
i |
IP |
v |
the string in-addr if ip is ipv4, or ip6 if ip is ipv6 |
h |
HELO/EHLO domain |
The macros below can be used only in exp field
| Macros | Description |
|---|---|
c |
SMTP Client IP (easily readable format) |
r |
Domain name of host performing check |
t |
Current Timestamp |
Results
All the evaluation can lead to one of the results below:
None
With a none result, the SPF verifier has no information at all about the authorisation or lack thereof of the client to use the checked identity or identities. The verification completed without errors but was not able to reach any conclusion.
Neutral
A neutral result indicates that although a policy for the identity was discovered, there is no definite assertion (positive or negative) about the client. It will be treated exactly the same as None
Pass
A pass result means the client is authorised to send emails with the given domain.
Fail
A “fail” result is an explicit statement that the client is not authorised to use the domain in the given identity. Disposition of SPF fail messages is a matter of local policy.
Softfail
A softfail result ought to be treated as somewhere between fail and neutral/none.
Temperror
A temperror result means the SPF verifier encountered a transient (generally DNS) error while performing the check.
Permerror
A permerror result means the domain’s published records could not be correctly interpreted.