Syntax

Sender Policy Framework

Structure of an SPF Record

Each SPF record begins with a version number; the current SPF version with "v=spf1".

An unlimited number of expressions follow, which are evaluated in the order from front to back. Most of the expressions are so-called directives, which define the authorization of the sender, and consist of an optional qualifier and a so-called mechanism, which results in either a hit or no hit for a given situation (IP address). The first mechanism, which represents a hit, determines the result of the entire evaluation of the SPF record.

.

There are the following qualifiers:


Q. Result code Description
+ Pass the directive defines authorised transmitters;
this is the standard, i.e. if no qualifier is specified, + is assumed
- Fail the directive defines unauthorised channels
~ SoftFail the directive defines unauthorized transmitters, but the receiver should treat this failure generously;
this qualifier is intended for testing purposes
? Neutral the directive defines channels about whose legitimacy nothing should be said; the channel must be accepted


The following table shows some common mechanisms:


Mech. Directive applies when -
all always
a an A (or AAAA) record of the queried (or explicitly specified) domain contains the IP address of the sender
mx an MX record of the queried (or explicitly specified) domain contains the IP address of the sender
ip4 the specified IPv4 address is the IP address of the sender or the specified IPv4 subnet contains it
ip6 the specified IPv6 address is the IP address of the sender or the specified IPv6 subnet contains it
redirect IP address of the sender is legitimized by the SPF record of another domain
include An additional SPF request for the domain specified in the include statement contains the IP address of the sender
exists IP address of the sender based on the connection of the client or other criteria according to (RFC7208 ) was authorized

An overview of all allowed expressions is given on the subpage SPF Mechanisms of the SPF website

Beispiel

$ host -t TXT gmx.de 
gmx.de text "v=spf1 ip4:213.165.64.0/23 -all"

The company GMX therefore specifies that all servers in the network range from 213.165.64.0 to 213.165.65.254 may send e-mails from the domain gmx.de. According to this SPF record, all other servers are not authorized to use this domain in the envelope sender address.

© 2012 - 2021 nicmanager.com