Implementing Email Authentication with SPF
One problem with emails is that it’s easy to forge them, pretending – for instance – to be someone that you are not. Email authentication technology helps solve this issue by allowing antispam filters to verify the identity of those that are sending the message. The receiving server will look at the sender (the FROM address) and at the domain of the envelope sender (identified by the RETURN PATH header and referred to also as “Mail From / 5321.From”), and will contact the DNS server to confirm that its IP address is among those authorized by the sender. If the email were sent by someone not authorized by the server, the IP address of the sending server would not match those specified by the sender, and the antispam filter could block the message or label it as SPAM. This technology, in other words, allows the receiving server to authenticate the sender
Who uses SPF authentication
– or Sender Policy Framework (see the Wikipedia article
) – is being used to authenticate emails by almost all consumer providers and widely enforced by B2B providers. With the advent of a new phishing-fighting technology called DMARC
, which relies on SPF and DKIM authentication, SPF becomes even more important.
Why SPF authentication
Email authentication is used by more and more service providers. Some ISPs now automatically flag a message as SPAM or show a warning icon when the sender cannot be authenticated (e.g. no list of IP addresses have been provided for SPF authentication).
More and more ISPs will use email authentication as an additional way to discriminate between SPAM and valid email messages. A sender that successfully authenticates and does not send unsolicited messages will over time develop a reputation that will ensure high deliverability for their messages even if a message were to contain “red flags” (e.g. text that could be misinterpreted as spam).
How much is it?
There is no charge
. The changes to the DNS settings, typically performed by your hosting company or network administrator, only require a few minutes. It is unlikely that your Web hosting provider will charge you for the service. If you are hosting a domain name with us, your domains are already, automatically configured for SPF authentication and no additional changes are needed.
OK, what do I need to do?
Ask the Web hosting company, domain registrar, or network administrator that manages the sender’s domain
to make a change to the DNS (Domain Name System) records.
If you already have an SPF record set for your domain (i.e. yourdomain.com), you must add:
to the TXT record that begins with v=spf1
before the all
It should look like this:
v=spf1 a mx include:_spf.google.com include:spf.protection.outlook.com include:musvc.com ~all
If you don’t have an SPF record then you must create a TXT record with the following value
v=spf1 include:musvc.com ~all
create more than one SPF record (a record that begins with v=spf1) for your domain. If you need more than one SPF record, you should merge all the records into a single one.
Please also note that you cannot have more than 10 DNS lookups in your SPF record.To prevent this and other common mistakes you can refer to this page: SPF: FAQ/Common mistakes
To verify that the SPF record has been correctly configured, we suggest some 3rd party tools that may be useful:
For more information on SPF best practices and syntax, check out www.openspf.org
Which domains should I update?
Bounce Address (“MAIL FROM”, “Envelope Sender” or “RFC.5321”) For the domain used for the envelope sender – i.e. the MAIL FROM address, which is the one that bounces are sent to and that can be located in the message header under “Return Path:” – it is crucial that you configure the SPF records. Typically the bounce address is provided by MailUp, and therefore the SPF record is already configured and there is nothing you need to do. However, in some cases customers wish to personalize the envelope sender: in that case, make sure that the SPF record has been configured for that address.
FROM Address For the domain used as the sender of the message – i.e. the FROM address. Even if the technical specification refers only to the Bounce Address we recommend setting the SPF also for the FROM Address domain, because some ISPs may check it either.
Additional technical details
We recommend that you add to the SPF record other IP or SMTP addresses that you use to send messages within your organization. For example: if company XYZ uses smtp.companyXYZ.com as the SMTP address to send their email, the record a:smtp.companyXYZ.com would be added to the SPF record. For more details, please see: http://spf.pobox.com/
There are different ways to accomplish this:
- Including the domain or IP of the provider before “~all” (replace DOMAIN_NAME with the domain name or IP): “v=spf1 include:musvc.com a mx include:DOMAIN_NAME ~all” Make sure that the provider has publisher their SPF record. Otherwise including the domain name in your SPF record becomes counterproductive. See the links at the bottom of this message for ways to find out a domain’s SPF record.
- Use the MX tag, which means “all the mx servers for this domain”: “v=spf1 include:musvc.com a mx mx:DOMAIN_NAME.tld ~all” Do this only after verifying that the provider uses the same servers that receive email messages: the MX – or mail exchange – servers are definitely the servers that receive mail for a certain domain, but not necessarily the ones that are used for sending messages.
- Use the least restrictive SPF record (?all): “v=spf1 include:musvc.com a mx ?all”
- We typically recommend using the ” ~all” configuration, which means that if an IP/host is not included in the ones specified, the server should further analyze the message (antispam filtering) before delivering the message. If you are positive that you are including all the IP addresses/hosts that you are sending email through, then you could use the more restrictive “-all” configuration, which means that the ones listed are the only IP addresses/hosts authorized to send your messages.
We typically recommend using the ” ~all” configuration, which means that if an IP/host is not included in the ones specified, the server should further analyze the message (antispam filtering) before delivering the message. If you are positive that you are including all the IP addresses/hosts that you are sending email through, then you could use the more restrictive “-all” configuration, which means that the ones listed are the only IP addresses/hosts authorized to send your messages.
||Fail all servers not listed here (recommended option)
||Give extra scrutiny to servers not listed here
||Unsure whether e-mail infrastructure is secure
||There’s no infrastructure security at all
sends a series of messages to Gmail users with MailUp, Gmail will query the DNS records for companyXYZ.com, and will find that the IP addresses used by Mailup are indeed authorized to send messages on behalf of companyXYZ.com.
If you need more information or are unsure about how to configure alter your DNS records to include SPF authentication, please open a support ticket