What is an SPF Record and Why Does My Domain Need One?

A few weeks ago, I described how I used a separate DNS host, DynDNS, to separate that responsibility from my web host, MediaTemple, to give me additional flexibility and control of my domain. Near the end, I mentioned one of the benefits of doing so was to be able to publish an SPF record for my domain as a means to contribute to the war against SPAM.

What is an SPF Record?

An SPF record is TXT DNS entry that is used by mail & spam filters to help validate incoming mail. Similar to the function a DNS MX record which provides information on what host receives mail for a particular domain, an SPF record tells what host(s) are authorized to send mail for that domain.

While this description is simple, implementation is another matter, and sometimes complex. First, domain owners, such as myself, have to publish an accurate SPF record for our domains, and keep it up-to-date if it changes. Second, receiving mail systems need to be updated or modified to check the validity of SPF records for incoming mail. There are customizations available for most major mail systems. Common SPAM appliances, such as a Barracuda or M+ Guardian by Messaging Architcts (built on the open source Hula engine), integrate SPF checking as part of their systems. By giving the servers something to validate the sending mail against we can help these systems do a better job.

What does an SPF Record Look Like?

Here’s the one for my domain:

v=spf1 a a:moon.home.cdchase.com ?ptr:gridserver.com include:bledsoe.net
                  include:outbound.mailhop.org -all

(Note, it should all be on one line, but it won’t fit here!)

It basically says mail is authorized for my domain from:

  • The host cdchase.com (a)
  • a host named moon.home.cdchase.com (a:moon.home.cdchase.com)
  • any server in the gridserver.com domain, classify neutral (?ptr:gridserver.com)
  • apply the SPF rules defined by bledsoe.net & outbound.mailhop.org (include:bledsoe.net include:outbound.mailhop.org)
  • FAIL all others (-all)

This basically let’s me send mail from my web server, from a linux box at home, my MailHop service or my ISP’s servers.

Why Does My Domain Need an SPF Record?

By being proactive in providing this information I help prevent fraudulent use of my domain name. You should too! If you don’t manage your own DNS, contact whomever does and be sure they are aware of it (it is fairly new), and ask them to properly implement it for your domain. Many major ISPs have done so already, in which case you may be able to use a simple include as I did above to point at my ISP’s SPF record entry.

To check if you have an SPF record for your domain, and validate it, as well as learn more about the SPF standard, visit OpenSPF.org.

I highly recommend using their SPF Setup Wizard to check if you currently have an SPF Record, and get a description of how it is currently configured. Enter your domain at the top, and click ‘begin’. Wait for the form to refresh, then scroll to the bottom for a description of any existing entry. The form takes little time to get used to for configuring the actual record, but the lookup & description works nice.

Note, I am fairly confident that all mail from my domain comes from the hosts specified, so I flag any results as an SPF FAIL if it is not one of them. That is pretty aggressive… my employer does a SOFT FAIL to prevent any problems. Review the documentation at OpenSPF.org for more details.