What are SPF records?

Written on 01 January, 2007 by Netregistry
Categories DomainsWeb HostingTags email

We have had a small amount of demand (usually from clients who are very passionate about the potential merits of SPF implementations) for the support of SPF TXT records in zonefiles over the past 18 months. The technology gained acceptance as a standard (IETF standard, RFC 4408) in April of 2006, though it should be noted it is still in the 'Experimental' category. The Request for Comments (RFC) document is prefaced with the following note:

"The following documents  (RFC 4405, RFC 4406, RFC 4407, and RFC 4408) are published simultaneously as Experimental RFCs, although there is no general technical consensus and efforts to reconcile the two approaches have failed.  As such, these documents have not received full IETF review and are published "AS-IS" to document the different approaches as they were considered in the MARID working group."

So now that the disclaimer is out of the way, what are SPF TXT records?

The concept itself is simple. When an email is received, the headers of the email contain a large amount of information about the journey the message has taken. If the receiving mail server is configured to check for SPF records, the server will look at the message it has received, analyse the headers and attempt to match the email address of the sender to an authorised source email server. If the records do not match, then the email is rejected. 

One of the common tricks used by spammers is to forge the 'from' address in an email. The idea with SPF is that it will put an end to this nefarious tactic and reduce global spam. In practice however, what we have seen is that virtually no (large) mail servers have been set-up to perform the verification. For example the mail servers of a large ISP like Bigpond, or free services like Hotmail or Gmail. SPF in many ways was relying on ubiquitous adoption from all mail service providers, as this has not happened, the value of SPF has been significantly limited. Of course the other major factor for SPF struggling to find acceptance, is the fact that spammers will typically move swiftly and ingeniously to circumvent new technologies that are put in place as barriers. Naturally, many of the early adopters of including SPF records into zone files for disposable domain names were the spammers themselves. 

Today what is the value of SPF records? If you are managing your own mail server, I'm sure at some stage you have been the recipient of what is termed a 'Joe Job'. This is where a spammer hijacks your domain by forging the 'from' address of their emails as one of your legitimate business email addresses. As they then start a spam run, which may total millions and millions of emails, your valid business email address receives all the bounce messages that can't be delivered. This can slow your mail server to a crawl for hours if not days. SPF can be an effective tool in combating this.