DNS problems affecting e-mail delivery: SPF Records

Having outgoing e-mail rejected due to domain name system configuration issues is a common problem that Internet e-mail server administrators face. There are eight things you can check to make sure that you re DNS is configured for optimum delivery. I will be covering a different item in each day of this series.

Are you sending e-mail from your domain from a server that is authorized in your domain's DNS SPF records?

Sender Policy Framework, also known as SPF, is defined in Internet RFC 4408. The experimental protocol, when implemented correctly by the sender and recipient, can help prevent forged e-mail addresses and e-mail paths.

Unfortunately, incorrect implementations can also hinder even legitimate e-mail communications.

Although I'm not going to go into detail on how to set up an SPF record, in this article, I am going to help you determine if you have an SPF record for your domain and whether it may be configured incorrectly.

To get started, I recommend using Microsoft's SPF Record Wizard. Simply type your domain name on the first page and click on the "Start" button. It will help you determine your domain's current SPF record and help you determine what your DNS SPF record's value should be based on your answers to questions on what e-mail server send e-mail for your domain.

Don't forget that the SPF record is a new DNS resource record type, however it can also be implemented via a TXT record in your domain's DNS zone. Be sure that you're looking for both record types, if you're not using the above wizard.

To check your domain's DNS SPF record without the above wizard, you can use the dig command on UNIX/Linux and the nslookup command on Windows. Below is an example using example.com in place of your domain name.

dig example.com SPF
dig example.com TXT

nslookup -query=SPF example.com
nslookup -query=TXT example.com

Domain used in sender e-mail address

The SPF record for your domain will list the e-mail servers that are authorized to send e-mail where your domain name is in the sender's e-mail address as listed in the MAIL FROM command part of the SMTP session. This isn't the same as the e-mail address listed in the "From" header. The MAIL FROM address typically isn't listed in the headers of the e-mail message at all, but is sometimes listed in the "Return-Path" header.

Domain used in HELO

One of the most common problems with SPF records is that people don't realize that it is also used to check the domain name used by your computer in its HELO/EHLO greeting. For instance, you may be sending an e-mail message from john@example.com, but your e-mail server is named mail.example.com. You may have an SPF record for example.com that lists your e-mail server as being authorized to send e-mail for your domain of example.com, but also have an SPF record for mail.example.com that doesn't list that e-mail server. Typically you should have an SPF record for your e-mail server's hostname that simply is an "a" type SPF record definition. For example:

example.com. TXT "v=spf1 a:smtp.example.com -all"
smtp.example.com. TXT "v=spf1 a -all"

E-mail sent from your Web server and mailing list service

The most common reason to have an SPF failure is due to having your web site generate e-mail from a Web form or Web application, but forgetting to list your Web server in your SPF record as being authorized to send e-mail from your domain.

The second most common reason to have an SPF failure is due to outsourcing your mailing list and bulk mailings, but forgetting to update your domain's SPF record to list the third party mailer's e-mail servers as being authorized to send e-mail from your domain.

There is no RFC that requires SPF records for a domain. However, if configured, SPF records require planning and perfect implementation to ensure against causing e-mail delivery issues. Additionally, having SPF records may help your e-mail get a higher score when going through a weighted heuristic spam filter. I do recommend setting up SPF records for your domain if you have the skills to implement them correctly, but I don't recommend using SPF checks to filter out e-mail. Instead, I recommend simply tagging messages that fail SPF checks with something like [Forged Sender]. This will give you the appropriate heads-up that the message could be from a forged sender.

Other articles in this series:

DNS problems affecting e-mail delivery: sender domain

DNS problems affecting e-mail delivery: mailserver name

DNS problems affecting e-mail delivery: PTR records