SPF Records and Spam

Have you ever sent a legitimate email from a corporate email address only to find out from the recipient that it was falsely flagged as spam? You’re at the mercy of someone else’s spam filter, but here’s one solution that can help reduce false positives.

SPF Defined

The Sender Policy Framework (SPF) was created to reduce spam by detecting impersonation of domain names. Since anyone can forge a “from” email address in a message header, SPF can be used by email servers to verify that the message originates from the domain it claims to be from, or that it was sent from a trusted host.

Creating a DNS TXT Record

SPF data is stored in a DNS TXT record, which is supported by most domain registrars. Simply go to the DNS management console used by your registrar or Web host and look for a “TXT” record option.

Let’s say you’re using a third-party service such as Google Apps to handle your corporate email. The TXT record would be

v=spf1 mx include:v=spf1 include:aspmx.googlemail.com ~all

But what about if you’re also sending emails directly from an application server? You’d want to include the IP address of the machine hosting the SMTP server:

v=spf1 a mx ip4:67.207.129.94 include:v=spf1 include:aspmx.googlemail.com ~all

To view a detailed explanation about the above parameters and an easy-to-use wizard for generating SPF-compliant DNS entries, check out the SPF Setup Wizard.

Before and After

If you examine your email headers, you can see the impact of creating an SFP record. Here’s an email sent to a GMail account before the record was added.

Received-Spf: neutral (google.com: 67.207.129.94 is neither permitted nor denied by best guess record for domain of info@webficient.com) client-ip=67.207.129.94;
Authentication-Results: mx.google.com; spf=neutral (google.com: 67.207.129.94 is neither permitted nor denied by best guess record for domain of info@webficient.com) smtp.mail=info@webficient.com

Now compare the headers with the SPF record in place:

Received-Spf: pass (google.com: domain of info@webficient.com designates 67.207.129.94 as permitted sender) client-ip=67.207.129.94;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of info@webficient.com designates 67.207.129.94 as permitted sender) smtp.mail=info@webficient.com