Sender Policy Framework / SPF: Difference between revisions

From Edgar BV Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 12: Line 12:
</pre>
</pre>


You always put the -all at the end of the record, as that's where the check stops processing and it tells the checker no more conditions will be met.
Best practice is to also publish it in this form in DNS
<pre>
SPF "v=spf1 mx -all"
</pre>
 
(they then have to be identical), but not being able to publish the SPF record is not a problem.
 
You always put the -all at the end of the record, as that's where the check stops processing and it tells the checker no more conditions will be met. You can replace the -all with ~all which will tell the system it's a soft fail, ie. other IPs are possible, but suspicious.


You do have to make sure that the DNS record has a valid MX record and that the url in the MX also has a valid A record in this case :)
You do have to make sure that the DNS record has a valid MX record and that the url in the MX also has a valid A record in this case :)

Revision as of 09:22, 29 November 2016

A sender policy framework is a way to sign mail to authenticate the sender domain, a bit like DKIM / ADSP. DNS records are added to the zone file in order to achieve this.

OpenSPF examples

OpenSPF RFC examples

OpenSPF record syntax

An easy way to implement this is to add the following to your DNS record:

TXT "v=spf1 mx -all"

Best practice is to also publish it in this form in DNS

SPF "v=spf1 mx -all"

(they then have to be identical), but not being able to publish the SPF record is not a problem.

You always put the -all at the end of the record, as that's where the check stops processing and it tells the checker no more conditions will be met. You can replace the -all with ~all which will tell the system it's a soft fail, ie. other IPs are possible, but suspicious.

You do have to make sure that the DNS record has a valid MX record and that the url in the MX also has a valid A record in this case :)