What is SPF?

SPF is short for Sender Policy Framework and is an internet standard, that ensures, that email is in fact sent from authorized mail servers. SPF is also known as an SPF policy or an SPF record. SPF is a special TXT resource record (RR) for the domain in DNS. The TXT RR contains a list of mail servers, that is authorized to send email on behalf on the domain. You can configure an SPF policy record in BIND DNS.

How does SPF work?

The sender prepares an email and sends it. Such an email will have a From header field, that contains name and email address of the sender. When the email arrives at the mail server of the recipient, the mail server will lookup the domain in a public DNS and get the SPF TXT record for the domain of the sender. The mail server will check, if the email was in fact sent via the authorized mail server. If not, the email is rejected, and will not be delivered to the recipient.

Example of an CEO scam email, that is being contructed with false sender header fields in an Alpine mail client. DKIM authentication and SPF authorization prevents this kind of domain abuse. This can be implemented with an SPF TXT record for BIND DNS and OpenDKIM milter for Sendmail with a DKIM TXT record for BIND DNS on FreeBSD
Example of an CEO scam email, that is being contructed with false sender header fields in an Alpine mail client. An SPF policy record in BIND DNS can prevent this kind of domain abuse.

What is the difference between SPF and DKIM?

SPF is configured in the DNS server. DKIM is installed on the mail server. SPF ensures, that the email was sent by an authorized mail server. The email was not sent from a spam server nor unauthorized mail server. DKIM ensures, that the email message is authentic. The sender information and the message has not been forged nor modified during transmission.

How to contruct an SPF record.

The SPF record contains the version of SPF, that is used for the SPF policy, and is then followed by a chain of SPF check mechanisms, such as mx, a, ip4, include and all. The last mechanism will typically be prefixed with a qualifier, that rejects all email, that did not pass the other chain of mechanisms.

mxIf the email was sent via a mail server, that are registered in the MX records of the email domain, then the email should pass.
aIf the email was sent via a mail server, that are registered in the A records of the email domain, then the email should pass.
ip4:<ip>If the email was sent via a mail server, that has the given IP address or has an IP address within the given IP range, then the email should pass. There is also an ip6 version of this SPF check mechanism.
include:<domain>The given SPF policy domain should be included in the chain of SPF mechanisms.
-allIf the email was sent via a mail server, that did not pass the other chain of SPF mechanisms, then the email should be rejected.
Table of SPF check mechanisms.

The first information is the version of SPF, that is used for the SPF policy. The second information is one or more authorization mechanisms, that specifies, which incoming mail servers, outgoing mail servers, news letter mail services or other mail servers, that will be sending email. The third information is a qualifier, that tells the mail server of the recipient, how to handle results of the SPF policy check.

Examples of SPF records.

If the domain will be used for sending email via the mail servers for incoming email, then the MX mechanism can be used. If the SPF policy check fails, then the email should be rejected.

v=spf1 mx -all

If the domain will be used for sending email via the mail servers for incoming email and a specific mail server for outgoing mail, then the MX and IP4 mechanisms can be used. The IP4 mechanism must be in the form of an IP address or an IP address range. If the SPF policy check fails, then the email should be rejected.

v=spf1 mx ip4:13.37.13.37 -all

If the domain will be used for sending email via the mail servers for incoming email and an external mailer service, then the MX and INCLUDE mechanisms can be used. The INCLUDE mechanism includes the SPF record, also known as the SPF policy, of the specified domain. If the SPF policy check fails, then the email should be rejected. In this example, the SPF policy for Brevo news letter mailer service is included.

v=spf1 mx include:spf.brevo.com -all

How to add SPF record to zone in BIND DNS on FreeBSD.

When the SPF policy has been prepared, you can add it to the email domain by adding it to the zone file in BIND DNS. In this example, the SPF record will use an SPF policy, that authorizes mail servers, that has an ḾX record in DNS for the domain, and rejects other mail servers.

# nano /usr/local/etc/namedb/master/foobar.com
$TTL                                            13M
$ORIGIN                                         foobar.com.
@                       IN      SOA             dns.foobar.com. hostmaster.foobar.com. (
                                                13371337
                                                8H
                                                2H
                                                4W
                                                1D )
@                       IN      NS              dns1.foobar.com.
@                       IN      NS              dns2.foobar.com.
@                       IN      MX      10      mail1.foobar.com.
@                       IN      MX      20      mail2.foobar.com.
@                       IN      TXT             "v=spf1 mx -all"
@                       IN      A               13.37.13.37
dns1                    IN      A               13.13.13.13
dns2                    IN      A               37.37.37.37
mail1                   IN      A               13.37.13.38
mail2                   IN      A               13.37.13.39
www                     IN      A               13.37.13.40
# service named restart

Confirm, that the new SPF record is served from the local DNS.

# drill foobar.com @localhost txt

How to see SPF record for domain on FreeBSD.

If you would like to see the SPF record for a specific domain, you can use a DNS lookup utility, such as the default DNS utility tool drill in FreeBSD. drill can be used to get information about a domain from DNS.

In this example, drill is used to query DNS for TXT records for foobar.com.

% drill foobar.com txt
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 44757
;; flags: qr aa rd ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; foobar.com.  IN      TXT
;; ANSWER SECTION:
foobar.com.     60      IN      TXT     "v=spf1 mx -all"
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 31 msec
;; SERVER: 13.37.13.37
;; WHEN: Fri Feb  9 17:25:13 2024
;; MSG SIZE  rcvd: 55

The TXT records contains an SPF record. This particular SPF record means, that only the the mail servers, registered in DNS, is authorized to send email on behalf on this domain. Email, that are not sent via those servers, must be rejected.

v=spf1 mx -all

If wanted to, we could also use drill to see the authorized mail servers in those MX records as well.

% drill foobar.com mx

How to test SPF policy record with free online tool.

MX Toolbox has an excellent SPF Check & SPF Lookup tool, that can lookup an SPF record from DNS, validate the machanisms and test it against a given mail server.

More about SPF.