Implementing Email Authentication (SPF & Sender ID)

Overview

One problem with emails is that it's easy to forge them, pretending - for instance - to be someone that you are not. Email authentication technology helps solve this issue by allowing antispam filters to verify the identity of those that are sending the message. The receiving server will look at the sender (the FROM address) and at the domain of the envelop sender (identified by the RETURN PATH header), and will contact the DNS server to confirm that its IP address is among those authorized by the sender.

If the email were sent by someone not authorized by the server, the IP address of the sending server would not match those specified by the sender, and the antispam filter could block the message or label it as SPAM. This technology, in other words, allows the receiving server to authenticate the sender.

Who uses SPF authentication

SPF - or Sender Policy Framework (see the Wikipedia article) - is being used to authenticate emails by large providers such as Charter, Comcast, Earthlink, Juno/Netzero, Gmail, RoadRunner, Verizon, and others. With the advent of a new phishing-fighting technology called DMARC, which relies on SPF and DKIM authentication, SPF becomes even more important.

SenderID (see the Wikipedia article) - which is based on SPF and CallerID technology - is used by Aol, Bellsouth, Comcast, Hotmail, and others. Different providers use different ways to authenticate emails (other ways include DKIM and Domain Keys), and some use multiple methods. Some ISPs now automatically flag a message as SPAM when the sender cannot be authenticated (e.g. no list of IP addresses have been provided for SPF authentication).

Useful links

SPF: detailed instructions and wizards are available at:
http://spf.pobox.com/wizard.html

SenderID: more information and a Wizard to configure your SPF record for SenderID: http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

DKIM (DomainKey Identified Mail): another email authentication method - based on public-key cryptography - used by Yahoo!, British Telecom, Gmail and others (Wikipedia article). All emails sent with MailUp are already, automatically signed with DKIM. Upon request we can implement an optional, client-specific DKIM signature.

Why SPF authentication

Email authentication is used by more and more service providers. In Hotmail, for example, messages that cannot be verified with either SenderID or SPF are flagged with a question mark icon. GMAIL is already checking the SPF records and noting whether the test passed or not in the header of the message. More and more ISPs will use email authentication as an additional way to discriminate between SPAM and valid email messages.

A sender that successfully authenticates and does not send unsolicited messages will over time develop a reputation that will ensure high deliverability for their messages even if a message were to contain "red flags" (e.g. text that could be misinterpreted as spam).

Why use SPF and SenderID

Based on the above, you can see why implementing SPF and SenderID is and will be more and more important to ensure that your messages are delivered, and delivered to the Inbox.

How much is it?

There is no charge. The changes to the DNS settings, typically performed by your hosting company or network administrator, only require a few minutes. It is unlikely that your Web hosting provider will charge you for the service. If you are hosting a domain name with us, your domains are already, automatically configured for SPF authentication and no additional changes are needed.

OK, what do I need to do?

Ask the Web hosting company, domain registrar, or network administrator that manages the sender's domain to make a change to the DNS (Domain Name System) records, as follows:

Which domains should I update?

• Bounce Address (or "MAIL FROM" or "Envelope Sender")
  For the domain used for the envelope sender - i.e. the MAIL FROM address, which is the one that bounces are sent to and that can be located in the message header under "Return Path:" - it is crucial that you configure the SPF records. Typically the bounce address is provided by MailUp, and therefore the SPF record is already configured and there is nothing you need to do. However, in some cases customers wish to personalize the envelope sender: in that case, make sure that the SPF record has been configured for that address.
• FROM Address
  For the domain used as the sender of the message - i.e. the FROM address - we recommend that you configure the SenderID record, which is the one that starts with "spf2.0". For example, if you send messages from "promotions@myWebSite.com", you will need to updated the DNS of the domain "promotions@myWebSite.com".

Additional technical details

We recommend - although it's not as important - that you add to the SPF record other IP or SMTP addresses that you use to send messages within your organization. For example: if company XYZ uses smtp.companyXYZ.com as the SMTP address to send their email, the record a:smtp.companyXYZ.com would be added to the SPF record. For more details, please see: http://spf.pobox.com/

There are different ways to accomplish this:

1. Including the domain or IP of the provider before "~all" (replace DOMAIN_NAME with the domain name or IP):

   v=spf1 ip4:81.88.228.224/27 ip4:81.88.237.160/28 ip4:81.88.234.16/28 ip4:93.174.64.0/21 a mx include:DOMAIN_NAME ~all

   Make sure that the provider has publisher their SPF record. Otherwise including the domain name in your SPF record becomes counterproductive. See the links at the bottom of this message for ways to find out a domain's SPF record.

2. Use the MX tag, which means "all the mx servers for this domain":

   v=spf1 ip4:81.88.228.224/27 ip4:81.88.237.160/28 ip4:81.88.234.16/28 ip4:93.174.64.0/21 a mx a mx mx:DOMAIN_NAME.tld ~all

   Do this only after verifying that the provider uses the same servers that receive email messages: the MX - or mail exchange - servers are definitely the servers that receive mail for a certain domain, but not necessarily the ones that are used for sending messages.

3. Use the least restrictive SPF record (?all):

   v=spf1 ip4:81.88.228.224/27 ip4:81.88.237.160/28 ip4:81.88.234.16/28 ip4:93.174.64.0/21 a mx ?all

We typically recommend using the " ~all" configuration, which means that if an IP/host is not included in the ones specified, the server should further analyze the message (antispam filtering) before delivering the message. If you are positive that you are including all the IP addresses/hosts that you are sending email through, then you could use the more restrictive "-all" configuration, which means that the ones listed are the only IP addresses/hosts authorized to send your messages.

An example

When john@companyXYZ.com sends a series of messages to Gmail users with MailUp, Gmail will query the DNS records for companyXYZ.com, and will find that the IP addresses used by Mailup are indeed authorized to send messages on behalf of companyXYZ.com

Questions?

If you need more information or are unsure about how to configure alter your DNS records to include SPF authentication, please open a support ticket.

How can I check my SPF records?