DNS SPF Record

In DNS (Domain Name System) an SPF record stands for sender policy framework and these SPF records indicate whether an email server is verified for a particular domain in order to prevent spoofing.

What is a DNS SPF Record?

Email spoofing is a rather easy way to gain entry into a network. Malicious attackers can fake headers or email addresses to appear as a trusted person on the other end of an email. In order to prevent spoofing or at least mitigate some of these malicious attacks, admins can use SPF records in their DNS zones. An SPF (sender policy framework) record lists all of the servers that are allowed to send emails for a particular domain. This way, a receiving email server has an incoming email, it may check the spf record using a DNS lookup to make sure that the sending server is, in fact, on the verified list of sending email servers for that specific domain.

An SPF record is actually a type of DNS TXT record, perhaps the most common type. An SPF is different from an MX (Mail Exchange) record, though. An MX record contains the DNS name information of a mail server in a particular zone or domain for which a client can use to send email. Whereas the SPF record will contain the list of names of mail servers so that incoming mail can be verified as safe by either a mail server or a specialized email security solution. An SPF check in many cases is only one test carried out to ensure an email is safe to open.

There are four results which may be received after performing an SPF check:

  • None: There are no SPF records published by that domain
  • Neutral: An explicit statement that the domain owner can’t or won’t verify email servers on that domain
  • Pass: The server is verified
  • Fail: The server is not on the list and therefore not verified

How to Check for SPF Records?

You can check for SPF records in a few ways, but two of the most popular are to use the DIG or nslookup. If you don’t have DIG installed you can use Men&Mice's online DIG tool.

To look for SPF records you’ll want to specify the type as TXT and then look for information resembling the spf record above such as:

“v=spf1 a mx -all”

For example, when I use nslookup at the command line I’ll type in: Nslookup -type=txt google.com

One of the records in the output is the following:

How to create a SPF Record

The way you set up an SPF record will depend on what you’re using for DNS management. If you’re using Micetro to create a new SPF record then you will do the following:

  • Open the Micetro Web UI
  • Click on DNS
  • Double-click on the zone for which you’d like to create an SPF record
  • Click Create
  • Enter a Record Name
  • Choose SPF as the Record Type
  • Enter a proper TTL value
  • Enter the SPF TXT information
  • Click Create Now or Add to Request depending on your credentials