What is SPF and how does it help me?
Spam. While also the name of a tasty breakfast and sandwich meat, it is also the bane of our digital lives. Spam is a constant annoyance that finds its way into our inboxes on a daily basis. One of the more common methods of spamming is to spoof other people’s email addresses. If you have received returned emails you know you did not send you may have contacted our Live Support team. If they spoke to you about SPF records, spoofing, and other voodoo, this is where you should be. Here we explain what spoofing and SPF records are and how they help you.
What is Spoofing?
‘Sender Address Forgery‘, aka ‘Spoofing‘, is a method of sending email out while it pretending to be from a different sender. It is much like a stranger sending a letter to someone while placing your information as the return address on the envelope. This way it appears to have been sent from you and not the actual sender. Spoofing in the digital world works the same way. Almost all spam emails use a fake address. If you are a victim of spoofing your online reputation can be at risk.
Why would someone spoof?
Spam Spammers spoof so that their inboxes are not bombarded with failed delivery attempts.
Fraud and viruses These types of folks want to cover their tracks so they use fake sender addresses to cause confusion.
Phishing These types of emails use spoofing to pose as legitimate senders so that their victims trust them as being an authority. These types usually pose as a bank or other institution asking for your information.
SPF, or ‘Sender Policy Framework‘, is an open standard designed to prevent spoofing. This protects the envelope sender address used for message delivery. SPF allows you to create a ‘policy‘ and dictate a list of authorized senders. This means that only those on the list are able to be authenticated by any receiving server checking for spoofing. Upon a successful check, the email is assumed to be legitimate. If the check is unsuccessful, the email is considered fake and dealt with according to how the SPF policy is set up.
What is an SPF policy?
An SPF policy is a list of servers allowed to send email on behalf of your domain name. It also includes instructions for any server that is not in the list.
Think of the SPF policy as a list the bouncer checks when a message carrier attempts to enter a club. If they are on the list, they are welcome to enter the club (server) and present their message. If they are not on the list, he sends them packing.
In order for SPF to work, however, there needs to be cooperation between both the sending and receiving email servers.
- Sending server publishes the SPF policy as a TXT record. This only needs to be created once and updated only when servers are to be added or removed from the list.
- Receiving server must check the email to see if it complies with the SPF policy.
Anatomy of a basic SPF record
An SPF record has different settings, also known as mechanisms. The record is evaluated in order from left to right. So if an email host fails to be included according to the first mechanism, it will check the second, third, etc until it either passes one or fails all checks. If it fails all mechanisms, it will do nothing. This is why it is important to include an ‘all‘ mechanism to catch them. Below is a typical SPF record for InMotion Hosting and a brief description of its mechanisms.
While this may appear cryptic at first, it is actually fairly simple. The breakdown is as follows:
|v=spf1||This means SPF version 1|
|a||All IPs defined by the A records for the domain are allowed.|
|mx||This means that all servers defined by the MX records for the domain are allowed to send emails on the domain’s behalf.|
|ip4:184.108.40.206||The IP address(es) listed are allowed to send emails. In this case, a single IP (220.127.116.11) is in the list.|
|-all||The ‘all‘ setting traditionally goes at the end and handles anything that did not match the rest of the settings in the record. In this case, the ‘-all’ mechanism indicates to reject anything that makes it that far.|
If you notice there are + and – prefixes in front of some of the settings. There are four different types and they help decide the fate of the message.
|+||Pass||Any host listed in the mechanism with this prefix is allowed.||Accepted|
|–||Fail||Hosts listed with a mechanism using this prefix will not be allowed.||Rejected|
|~||Soft Fail||Although listed as not allowed, hosts listed under mechanisms with this prefix will be allowed, but marked.||Accepted|
|?||Neutral||Hosts listed using this prefix will be allowed. There is nothing specific said either way about it. This has the same effect as having no prefix before the mechanism.||Accepted|
How do I set SPF records for my domain?
Now that you understand a bit about how SPF records work, we will show you how to set them up on your hosting account so that you can help prevent malicious spammers from spoofing your domain.
Creating SPF records on your server
You can create your SPF records either in the cPanel or the WebHost Manager (WHM). The WHM can only be accessed by VPS and Dedicated account holders. Below are links to the articles on how to create your SPF records using your desired method.