Your email list is one of the most valuable assets for your business, right? But what would happen if the majority of your sent email goes straight to the recipient's spam folder or the servers don’t even let it go there? In addition to adhering to basic best practices (such as asking users to opt in to your mailing list and giving them the option to opt out), you must go through technical processes to strengthen your email authentication in order to maintain a good sender reputation. Email authentication allows your email recipients to ensure that email they receive from your domain was actually sent by you. This is important since the standard email protocol, SMTP permits anyone to send email claiming to be from any source or “from” address.

In this series’ previous post, we discussed how DKIM (DomainKeys Identified Mail) works, how to set it up, and how it helps identify the email sender by signing each email message. This time we will discuss another email authentication method: SPF. Keep on reading as we continue putting the puzzle pieces together.

What is SPF?

We just couldn’t resist the temptation.
We just couldn’t resist the temptation. Photo by BATCH by Wisconsin Hemp Scientific on Unsplash

SPF (Sender Policy Framework) is an email authentication technique designed to help the receiving server detect forged sender addresses. It uses a DNS (Domain Name Service) record to list all of the email servers (by name or IP addresses) that are permitted to send email on behalf of your domain, preventing the bad guys from doing so., As long as they can’t send email from the servers listed in the SPF record, you are in the clear.

How does SPF work?

To use SPF, you have to create a DNS TXT record to hold the list of IP addresses and domain names that are permitted to send email on behalf of your domain. An example SPF record looks like this:

"v=spf1 ip4: a -all"

All listed IP address ranges (prefixed with ip4: or ip6:), and domain names specified (usually with the include: prefix, meaning that the domain’s SPF list is to be included) are allowed to send email on behalf of the domain. The -all at the end of the list indicates that an email that was sent from any IP address or domain name not previously specified on the list should be rejected by the recipient. There are also other qualifiers that can be used such as the ~ which stands for SOFTFAIL, meaning that messages should be accepted but tagged.

Upon receiving an email message, the receiving server uses an ordinary DNS query to pull the SPF information and compares it to the envelope-from address. If the value doesn’t match any of the authorized IP address ranges or hosts specified in the SPF record, the message may be rejected.

However, SPF isn’t perfect and can be problematic in the following ways:

  • SPF records don’t apply to the From address field - As mentioned previously, SPF doesn’t actually check the email `from` field, which is what’s visible to the recipient, but rather the smtp envelope-from address (also known as the bounce address or MailFrom). This means that attackers can send email from their domain with SPF, use a different domain in the email’s `from` field, and still pass SPF tests.
  • DNS record maintenance - when using IP addresses, any change should also be immediately applied to the SPF record too. This is to ensure that emails sent from new IP addresses are not rejected and that emails sent from old IP addresses aren’t authenticated any longer. The same is true when you start or stop using a mail service.
  • SPF syntax - each new service you’re adding usually tells you which SPF record to add in order to allow it to send email on your behalf. To combine multiple services, however, the DNS administrator must understand the SPF syntax well and make sure to avoid any mistakes. It is also important to remember not to add more than one SPF record per domain. If you have more than one, it may cause SPF authentication errors.
  • The SPF 10-lookup limit - SPF specifications have a 10 DNS lookups limit with the aim of decreasing the number of resources that are used by mailbox providers when checking SPF records. If the limit were to be exceeded, an SPF PermError is returned which causes even legitimate emails to fail authentication, directly affecting your email deliverability. The cause of this outcome is not only due to using 10 or more email services, but may also occur if there are cascading lookups caused by nested includes.

Is SPF important?

Despite its shortcomings, SPF is still used by mail servers to check an email’s authenticity. An important thing to keep in mind: if you are already using SPF with some email services, you must make sure to add a new email service’s details to your SPF record. Otherwise, email sent by the new service will be caught by the default ~ALL or -ALL mechanism and may be flagged as spam. In summary, we recommend adding and updating your SPF record in order to help your email reach its recipients, to simplify the process.

Does Mailer To Go support DKIM?

Yes. Although not required, you should add Mailer To Go’s tag to your SPF record to make sure that email sent from Mailer To Go reaches your recipients’ inbox properly.

Follow these links to find more information about email authentication methods:

Post photo by Matthew Henry on Unsplash