Although adding an SPF DNS record won’t cost you 1 minute, understanding the format of SPF record is not easy. The SPF record is a TXT DNS record you can add through your domain registrar. Some registrars will name this type of DNS record as TXT/SPF. After you click “add a TXT/SPF” record, you will prompted to fill the host and the content of the record. You can leave the host as blank and fill the content of the SPF record as follows:
v=spf1 a mx ip4:xx.xx.xx.xx ipv6:xx.xx.xx.xx include:externaldomain.com ~all
The syntax of SPF record is a little weird. The fields are separated by space. The first field specifies the version of the SPF record. It is always “v=spf1″(the first version) at present. The following fields are all matching rules or mechanisms. A mail server that’s deployed a SPF policy will match the client ip with these rules in order. If it finds a match, it gets a result indicated by the qualifier prefixing the mechanism and won’t match further. How does the mail server use the result depends on the mail server itself. If it cannot find any match, it gets the “Neutral” result. It may accept and reject the email if the result is “Neutral”. If there is no qualifier prefixing a matching mechanism, the default qualifier is “+”(meaning “Pass”).
We take the example above to explain the format of the SPF record in details.
- a means matching the client ip with the ip(s) indicated by the A record of current domain.
- mx means matching the client ip with the ip(s) of the A record of the MX record of current domain.
- ipv4/ipv6 means matching the client ip with specific ip address or address range.
- include means matching the client ip with the SPF record of another domain.
- all can match any client ip address thus is usually put at the end of SPF record.
Ip addresses are not ususally used in a SPF record because if you change your mail server’s ip, you need to change the SPF record also. A more useful SPF record is:
v=spf1 a mx ~all
Because you may always need to set your A record pointing to your host for your domain, this SPF record can ensure you can send emails on your host. If you use a different host for your mail server, the mail server can also be matched by using the MX mechanism. If emails are sent from other ips, the ~all mechanism instructs other mail servers to accept but flag them(softfail).