{"id":187,"date":"2018-04-13T15:30:19","date_gmt":"2018-04-13T13:30:19","guid":{"rendered":"http:\/\/zupertails.be\/wur\/?p=187"},"modified":"2018-04-13T15:30:19","modified_gmt":"2018-04-13T13:30:19","slug":"spf-records-and-how-they-work","status":"publish","type":"post","link":"https:\/\/zupertails.be\/wur\/?p=187","title":{"rendered":"SPF records and how they work"},"content":{"rendered":"

The mysteries of the internet : SPF edition<\/h2>\n

First of all, SPF stands for “Sender Policy framework”.
\nNow you know.
\nPeriod.<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

Just kidding.<\/p>\n

An SPF record is used as a “sort of ” security\/anti-spam measure in order to protect your outgoing mail from being sent FROM a certain list of sender locations.
\nYou read it right : “from<\/span>” (not “to<\/span>“).
\nIt’s in no way a fail-safe antispam solution, but it will decrease the amount of mails sent in your name significantly.
\nOffice 365 even requires this specific record on first setup (although you can skip this step eventually).<\/p>\n

Who didn’t configure his Outlook Express in the old days to send mail from as his boss to fake a “you’re fired” mail to your new colleague ? Right ? Right ? N-Nobody ?
\nOops. Sorry, Bjorn.<\/p>\n

 <\/p>\n

Comment \u00e7a marche<\/a> ?<\/h2>\n

In order to understand how things work, wel’ll start out with a little example from our fake (?) company Shortstraw LLC and their Office 365.
\nAfter setting up your O365\u00a0 subscription, your SPF records looks a bit like this :<\/p>\n

\"\"
Note the “subtle” reference to mxtoolbox.com<\/figcaption><\/figure>\n

I deliberately used the expression “text record” as SPF is nothing more than a TXT record with a specific markup. Most hosting companies have a separate entry box for SPF nowadays, but in the background it’s still a TXT.<\/p>\n

Let’s split up everyting in this text record, so we can understand completely what exactly it is that Microsoft wants us to do.<\/p>\n

v=spf1 :\u00a0<\/strong>
\nAll this does is stating the obvious.
\nThis record is “version SPF1”.
\nTo make things confusing, there’s an unrelated spf2.0<\/a> record, which stands for “Sender ID”<\/p>\n

include:spf.protection.outlook.com :<\/strong>
\nThe include value *drumrolls* includes the values of another SPF record, in this case a large list of IP addresses of Microsoft servers.<\/p>\n

\"\"<\/p>\n

The very same website I’ve used in the example above (MX Toolbox<\/a>) easily provided me with this information. You can see that in itself this record loops through to more SPF values in spfa.protection.outlook.com.
\nThis has to do with the maximum accepted length for a TXT record, which is limited to 255 characters, as explained on this RFC page<\/a>.<\/p>\n

-all
\n<\/strong>The final entry in the record is also the most conclusive one.
\nThe “-all” stands for “disallow all other entries”<\/p>\n

Other entries<\/h2>\n

\"\"The above example was just a textbook sample provided by Microsoft to get you started. It should be sufficient for the average O365 setup.<\/p>\n

Reality however will often slap you in the face with a more complex situation where you’ll be needing to configure all-in-one printers<\/a>, old software packages<\/a> with support for mail over port 25 only, websites sending from something@your_domain_name, …
\nThey all have a couple of specific things to keep in mind when configuring your SPF record.<\/p>\n

A handy tool for helping you configuring your SPF record is\u00a0https:\/\/www.spfwizard.net\/<\/a>, which does exactly what the name implies.<\/p>\n

Other possible entries you might use in your record :<\/p>\n

A:<\/strong>
\nIt’s usually followed by an actual DNS A-record
\nAn example will make things clear.<\/p>\n

v=spf1 include:spf.protection.outlook.com a:mail.suamae.br<\/strong> -all<\/pre>\n
The classic O365 SPF record was added a:mail.suamae.br<\/strong>, which will allow the IP resolving to this Brazilian mail server name to be able to send mails from shortstraw.be’s domain name as well.<\/p>\n
Just adding “A” and not defining anything behind it, will result in all A-records in shortstraw.be being able to send mail from this domain name.<\/p>\n
MX:
\n<\/strong>Works similar to the A-entry.<\/p>\n
v=spf1 include:spf.protection.outlook.com MX:uwmoeder.com<\/strong> -all<\/pre>\n
The example above will allow all the mailservers in the domain uwmoeder.com to be able to send mail from shortstraw.be<\/p>\n
\"\"<\/p>\n
Double checking on this, it will resolve to redirect.ovh.net in this case.<\/p>\n
Just adding “MX” without a domain name, will allow all MX entries in the shortstraw.be domain to send mail.<\/p>\n
IP4:
\n<\/strong>You may enter one specific IPv4 address or a group of IP addresses in the typical “slash” notation (it’s called “CIDR format” in big-boy-language).
\nNote the omission of the letter “v” in ip4. Pay attention to this common typo.<\/p>\n
v=spf1 include:spf.protection.outlook.com ip4:194.78.56.8 ip4:37.230.164.0\/22 -all<\/pre>\n
This will allow the single host “194.78.56.8<\/strong>” and the group of IP addresses “37.230.164.0 to 37.230.167.255<\/strong>” to send mail from your domain name.<\/p>\n
IP6:\u00a0<\/strong>
\nSee above.<\/p>\n
v=spf1 include:spf.protection.outlook.com ip6:2a01:4f8:d16:1355::2 -all<\/pre>\n
Completely the same, but for IPv6 addresses.<\/p>\n
~all<\/strong>
\nReplacing the “-all” entry with this “~all”, results in the mails from the “not-allowed” list to be marked as so-called “Soft Fail”. You can see the result of this in the headers of a received mail<\/a> as something like …<\/p>\n
Received-SPF: softfail (google.com: domain of transitioning mail@example.com does not designate 203.0.113.2 as permitted sender) client-ip=203.0.113.2;<\/em><\/p>\n
 <\/p>\n
+all<\/strong>
\nStating the “+all” addendum, ignores everything you just added in the previous part of the SPF record.
\nYour mails might (or might not, depending on the server) be tagged with an extra header that says something in the likes of “this mail is probably not OK, but it doesn’t matter anyway”.<\/p>\n
?all<\/strong>
\nAlmost the same as “+all”, with the exception that your mails will not be flagged.
\n?all stands for “No policy statement” and simply does not hold the SPF record in account.
\nOften used when trying to delete an SPF record without actually deleting it.<\/p>\n
Now how does this REALLY work ?<\/h2>\n
Every self-respectable and up-to-date mail server will do an SPF checkup, when receiving mail.
\nThat’s right, even Exchange Server 2003 can do this, updated to Service Pack 2. (not sure how it’s implemented in an Exchange 2000, though\u00a0 – I’ve seen software by GFI that used to be able to do this, but if you’ve come to this page looking for an antispam solution for your Exchange 2000, you can probably guess what I’m thinking right now…)
\nIn a side-note, this function is usually referred to as “Sender ID” in an Exchange environment.<\/p>\n
It’s usually a hard-coded feature with nothing much to tweak, except for turning it on or off.<\/p>\n
\"\"
A basic representation of SPF functionality (picture shamelessly stolen from this site<\/a>)<\/figcaption><\/figure>\n
One simple image explains how it works.
\nMail server A sends mail from a certain domain.
\nMail server B receives mail from this domain and does a quick DNS lookup looking for any TXT records containing “v=spf1” after which he interprets the information like I’ve explained about one page up.<\/p>\n
That’s it !<\/p>\n
You now know how an SPF record works !<\/p>\n
 <\/p>\n
More information<\/h2>\n
I’ve taken the liberty of compiling a small list of handy websites should you want to read more on the subject.<\/p>\n
    \n
  1. Pretty hardcore and a tough cookie to read ; the official RFC for SPF<\/strong> records :
    \n    https:\/\/tools.ietf.org\/html\/rfc7208#section-6.1<\/a><\/li>\n
  2. SPFWizard<\/strong>, for creating your own custom SPF records on the fly :
    \n    https:\/\/www.spfwizard.net<\/a><\/li>\n
  3. DKIM<\/strong>, a next-level form of protection your domain.
    \nIt’s not covered on this page, but it’s just a friendly reminder to let you know that there’s more than one way to perform mail protection :
    \n    https:\/\/blog.returnpath.com\/how-to-explain-dkim-in-plain-english-2\/<\/a><\/li>\n
  4. Mxtoolbox<\/strong>.
    \nYour trustworthy website on troubleshooting DNS and mail related stuff.
    \n    https:\/\/www.mxtoolbox.com<\/a><\/li>\n
  5. Microsoft Message Header Analyzer<\/strong>.
    \nNot mentioned in this page yet, but a great tool nevertheless.
    \nIf reading a wall of text is too hard, copy your mail headers in this website and it will provide you with readable text. Huzzah !
    \n    https:\/\/testconnectivity.microsoft.com\/?tabid=mha<\/a><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"
    The mysteries of the internet : SPF edition First of all, SPF stands for “Sender Policy framework”. Now you know. Period.         Just kidding. An SPF record is used as a “sort of ” security\/anti-spam measure in order to protect your outgoing mail from being sent FROM<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[8,6,9],"tags":[13],"_links":{"self":[{"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=\/wp\/v2\/posts\/187"}],"collection":[{"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=187"}],"version-history":[{"count":7,"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=\/wp\/v2\/posts\/187\/revisions"}],"predecessor-version":[{"id":203,"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=\/wp\/v2\/posts\/187\/revisions\/203"}],"wp:attachment":[{"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=187"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=187"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=187"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}