What is an SPF Record and Why Does My Domain Need One?

A few weeks ago, I described how I used a separate DNS host, DynDNS, to separate that responsibility from my web host, MediaTemple, to give me additional flexibility and control of my domain. Near the end, I mentioned one of the benefits of doing so was to be able to publish an SPF record for my domain as a means to contribute to the war against SPAM.

What is an SPF Record?

An SPF record is TXT DNS entry that is used by mail & spam filters to help validate incoming mail. Similar to the function a DNS MX record which provides information on what host receives mail for a particular domain, an SPF record tells what host(s) are authorized to send mail for that domain.

While this description is simple, implementation is another matter, and sometimes complex. First, domain owners, such as myself, have to publish an accurate SPF record for our domains, and keep it up-to-date if it changes. Second, receiving mail systems need to be updated or modified to check the validity of SPF records for incoming mail. There are customizations available for most major mail systems. Common SPAM appliances, such as a Barracuda or M+ Guardian by Messaging Architcts (built on the open source Hula engine), integrate SPF checking as part of their systems. By giving the servers something to validate the sending mail against we can help these systems do a better job.

What does an SPF Record Look Like?

Here’s the one for my domain:

v=spf1 a a:moon.home.cdchase.com ?ptr:gridserver.com include:bledsoe.net
                  include:outbound.mailhop.org -all

(Note, it should all be on one line, but it won’t fit here!)

It basically says mail is authorized for my domain from:

  • The host cdchase.com (a)
  • a host named moon.home.cdchase.com (a:moon.home.cdchase.com)
  • any server in the gridserver.com domain, classify neutral (?ptr:gridserver.com)
  • apply the SPF rules defined by bledsoe.net & outbound.mailhop.org (include:bledsoe.net include:outbound.mailhop.org)
  • FAIL all others (-all)

This basically let’s me send mail from my web server, from a linux box at home, my MailHop service or my ISP’s servers.

Why Does My Domain Need an SPF Record?

By being proactive in providing this information I help prevent fraudulent use of my domain name. You should too! If you don’t manage your own DNS, contact whomever does and be sure they are aware of it (it is fairly new), and ask them to properly implement it for your domain. Many major ISPs have done so already, in which case you may be able to use a simple include as I did above to point at my ISP’s SPF record entry.

To check if you have an SPF record for your domain, and validate it, as well as learn more about the SPF standard, visit OpenSPF.org.

I highly recommend using their SPF Setup Wizard to check if you currently have an SPF Record, and get a description of how it is currently configured. Enter your domain at the top, and click ‘begin’. Wait for the form to refresh, then scroll to the bottom for a description of any existing entry. The form takes little time to get used to for configuring the actual record, but the lookup & description works nice.

Note, I am fairly confident that all mail from my domain comes from the hosts specified, so I flag any results as an SPF FAIL if it is not one of them. That is pretty aggressive… my employer does a SOFT FAIL to prevent any problems. Review the documentation at OpenSPF.org for more details.

Managing Your Own Web DNS Services

In one of my first posts I promised to describe how I was able to transfer my domain name from one web host to another with minimal cut-over time, and essentially no waiting for DNS propagation. The key is I did not have to wait for DNS changes to propagate across the Internet at all–the changes only had to occur on my own DNS server. If you were to purchase a new domain name, then you would have propagation delay as the new name is discovered.

I strongly believe in the separation of DNS services and web hosting services. This keeps me from having any issues with my web host holding me ‘hostage’ for some reason because they have control of my domain name. While you may legally own your domain name, unless you manage the DNS services, you don’t have full control. While many web hosts will provide this service to you at no extra cost, I decided long ago I was willing to pay a little more to get those services from a third party to protect myself.

I use the DNS services of Dynamic Network Services, Inc. They are a DNS specialist. They do not provide web hosting services! I initially discovered them while searching for a means of getting a stable DNS name for a dynamic IP assigned by my ISP in order to remotely access a server at home. After I realized all the services they provided, and what insulation it would give me from my web host, I moved management of all my domains there. At the time, they did not do domain registration, and I simply went to my domain registrar and designated the Name Servers hosted by DynDNS as mine. From then on, I used their Custom DNS services to manage my hosts.

While most people might be afraid of managing their own DNS services, DynDNS makes it very simple. Their FAQ pages are extensive and supply all the information you need. I’ve been able to manage all my needs without contacting their support staff, and I’m not a DNS expert–though I try to play one in the movies. 😉 Just kidding!

Back to how I accomplished the move so easy… Since I did not have to add a new domain and change NS records (name server IPs), I only had to add a new host name (blog) to my cdchase.com domain. I will eventually move this site under my main www site, but I have not decided how I’m going to integrate the old content and new. As I’ve stated before, the design is still in Alpha mode–subject to change at any time.

While Media Temple aka (mt) is my host, and they stated that I would not have a dedicated IP for my domain, but that it would be a named virtual host, and they pointed me at the Apache documentation, I knew exactly what I could do! While the IP might not be dedicated to my web hosting server, it does respond to a specific IP, and the name used is what tells it to use one virtual server or another. That IP is what is behind the access domain that they provide–a generic host name that is under their domain control, and you can use at any time–even before DNS propagates if you are stuck waitng for it. By looking up the IP related to it using ‘dig‘ on Linux, I was able to create my A record DNS entry pointing my new host at it’s appropriate IP. Once I did that, it was immediately available!

Why immediately you ask? Because when you provide your browser a a fully qualified domain name like blog.cdchase.com, it has to look up the IP for it. Where it looks is the server that controls the domain above, in this case cdchase.com. Since that domain had been in existence for years, it simply went there, and got the new host IP and I was in business!

Note, as soon as I had the web pages copied to the new site using the generic access domain, and I saw how well things were going, I changed the DNS record for www.cdchase.com. That took up to 12 hours to propagate depending on if you had been to the site before. 12 hours is the TTL or time-to-live setting on my DNS entries, they time out after that time and a client, such as a web browser, will normally re-request them and get the updated IP. Same goes for my MX (mail) entries, 12 hours to time-out and I was in business on my new host. Time now to cancel my old service…

Once you have all the changes you need made, you should test your DNS too… you might want to do it before you change to see how good your web hosting provider’s configuration is! Try DNS Stuff, lots of tools to help testing and trouble shooting.

If I’ve haven’t sold you on the power of separating DNS hosting from web hosting, you can also add on the additional redundancy they provide, distributed world-wide. DynDNS has five DNS hosting facilities spread around the world for redundancy and isolation from network break-downs, as well as improving response times in their related regions. I also use their Mail Hop Outbound service to provide secure outbound SMTP services at home, but more importantly when I’m traveling. If I’m using some hot spot some place, I don’t always have access to their SMTP mail servers information for routing mail, besides the pain it is to find & setup every time. With Mail Hop Outbound, all my mail uses the Mail Hop server. Very convenient and secure. Since I control my DNS, I have also added an SPF record to help support mail security.

If you have specific questions, I would be happy to answer them, just leave a comment! If you are interested in learning more about DNS, get the O’Reilly guide: DNS and BIND (5th Edition) from Amazon.