Sender Policy Framework (SPF) is a security measure that is used against Email Spoofing attacks, as well as making sure that the emails are delivered to their recipient without spamming issues. Email Spoofing is an attack when the attacker uses a domain for sending forged messages to the recipients.
SPF record is a TXT record consisting of a list of authorized hosts/IP addresses, that are allowed to send email from a specific domain. Defining a SPF record is important; because if it is not defined in DNS management settings, email servers such as Gmail will put the sender domain of the emails in spammers’ list by default.
Steps to Define a SPF Record
⦁ Identify the email servers you would use to send email to your audiences. They could be any of the following:
⦁ A web server
⦁ Third-Party email services such as mailgun, Zoho, gsuite, …
⦁ Compile a list of the domains that are going to be used for sending emails. If you are an organization with a lot of domains, you probably are going to use some of the domains (active domains) for sending emails, and not the rest. It is important to define the SPF record for all of your domains even the ones that are not used for sending emails. Because the first thing that an attacker would do is to access the domains that are not used for sending emails, as they would assume that it is not secured using SPF records.
Defining a SPF Record
A SPF record is defined as a single text string, like:
v=spf1 ip4:x.x.x.x include:_spf.example.com ~all
It always starts with a v. v stands for version and indicates the used SPF version. So far the only available version for SPF, is SPFv1. The above record, provides several different mechanisms for matching. Normally, when none of the following characters are used, all these mechanisms are examined and applied.
⦁ +: indicates a PASS result. In other words, the address defined with this mechanism will be allowed to send emails. This is the default character that separates the mechanisms in a SPF record definition.
⦁ -: this character indicates a FAIL result. If it comes before a mechanism, the indicated address will not be authorized to send emails.
⦁ ~: the addresses that are matched with this mechanism, would be accepted but they will be tagged as non-compliant mail.
⦁ ?: will returns a NEUTRAL result, indicating that the message is not accepted (PASS) nor rejected (FAIL). The addresses of hosts that are matched with this mechanism are probably accepted.
The mechanisms that can be used to define a SPF record are:
⦁ ip4: this mechanism is used to specify the IP addresses that are authorized to send emails. If the email servers use IPv6 you can use ip6 instead of ip4.
⦁ include: using this mechanism you can specify email servers that are out of your control, but provide your email services. For example: include:_spf.google.com
⦁ all: this includes everything, and will match with all addresses and hosts. This is usually used at the end of the line to define a default result for all the IP addresses that would not match with previous mechanisms.
⦁ +all: means that any server can use your domain to send emails.
⦁ -all: when this is used at the end of a line that includes other mechanisms, it means that no other IP or host, other than the ones specified in the said line, is authorized to send emails. If this mechanism is used to define a SPF record by itself, no server will be authorized to send email.
⦁ ~all: the emails send by servers other than the ones specified using previous mechanisms are accepted, but are tagged as non-compliant mail.
⦁ a: this mechanism indicates all the addresses defined in record A.
⦁ mx: this mechanism indicates all the addresses resolving to the A records of a host’s MX record.
⦁ ptr: this mechanism indicates all the addresses resolving to the A records of a host’s PTR record.
⦁ exists: using this mechanism one can specify one or more domain(s) as exceptions.
Modifiers are tuples of names and values that are separated with an ‘=’. They can only be used once in every SPF record, and usually come at the end of the SPF definition.
⦁ redirect: a redirect modifier is used to refer to another SPF record. It can be useful while applying the same SPF record to several domains. It must be noted that you can only use a redirect modifier when you have control over the domain that is redirected to as well, otherwise you must use the include mechanism. Here is an example of using this modifier:
⦁ exp: you can use this modifier to add an explanation about a failed SPF query. This explanation will appear in the SPF log. Example:
SFP Settings in User Panel of ArvanCloud
In order to set a SPF record for your domain,
⦁ Go to ArvanCloud User Panel -> CDN-> DNS
⦁ In the DNS Settings panel set record type to TXT and title to @ (this will refer to your domain).
⦁ Click on value text-box, type the SPF record line.
⦁ Finally, set the TTL to appropriate value and click Plus icon to save the record.
Case 1: Sending emails from authorized IP addresses
If you want to set the system so that only the web server which has the email service activated, be authorized to send emails (let’s assume the IP address of the said web server is 192.168.243.1), set the title to @ and the value to something like this:
v=spf1 ip4:192.168.243.1 +a +mx ~all
You can add +a and +mx to the end of the above statement as well.
Case 2: Sending emails from mailgun.org
After setting up your email service at mailgun, this service will provide you with the value of your SPF record.
You can use this value in your DNS Settings. You can refer to the documentation of mailgun for more information.
Case 3: Sending emails from G suite
Based on google documentation, the value of SPF record should be set to:
v=spf1 include:_spf.google.com ~all
Also, if you are using domains other than google, you can set the record using either of the following format:
v=spf1 ip4:172.16.254.1 include:_spf.google.com ~all
v=spf1 include:serverdomain.com include:_spf.google.com ~all
Again, you can refer to G suite documentation for more information.