Skip to content

SPF

Sender Policy Framework (SPF) is a simple validation system designed to detect attempts to impersonate e-mail senders.

Configuration

SPF configuration uses the TXT field in DNS configuration of the domain from which the email is sent. The content of the TXT field starts with v=spf1. Then rules are defined that specify who is authorized to send e-mails from this domain. One of four prefixes can be used before the rules:

  • + - accept (default)
  • - - do not accept (never accept; hard rule)
  • ~ - do not accept (rather not accept, the decision to reject the e-mail depends on the server configuration; soft rule)
  • ? - neutral

List of rules that can be read as "accept e-mails from":

  • A - the IP address specified in the A record
  • MX - the IP address specified in the MX record
  • ip4:8.8.4.4 - the address 8.8.4.4
  • ip4:8.8.4.0/27 - the 8.8.4.0/27 network (addresses: 8.8.4.1 - 8.8.4.30)
  • ip6:2001:db8:a4:a6:b7:e4:ef:a3 - the address 2001:db8:a4:a6:b7:e4:ef:a3
  • ip6:2001:db8:a4:a6:b7:e4:ef:80/122 - from network 2001:db8:a4:a6:b7:e4:ef:80 (addresses: 2001:db8:a4:a6:b7:e4:ef:81 - 2001:db8:a4:a6:b7:e4:ef:bf)
  • include:sub.example.com - servers specified in the SPF of the sub.example.com domain
  • all - from the rest of the servers.

Examples

Domain that does not send e-mails. Any e-mail sent from this domain will be rejected: 

v=spf1 -all

Accept e-mails from the web server (A record) and from the mail server (MX record). Messages sent from other servers will be rejected: 

v=spf1 A MX -all