In the post I want to breakdown & cover SPF in more detail. Especially as I continue to embark on the email security journey/track. before beginning, here is another brief overview of what SPF entails:
SPF is a simple validation system designed to provide a mechanism to allow receiving mail exchangers to verify that incoming mail from a domain is being sent by authorized hosts. SPF is generally considered an email anti-spam technique.
Remember that SPF authenticates the message path & authorizes senders via DNS TXT records. SPF's main goal is to verify the envelope part of the email. The receiving server is the one responsible for verifying the sending server IP address against the domain's recorded owner in SPF records.
Taking a deeper dive into SPF, it is important to know SPF mechanism syntax. A mechanism is used to describe a set of hosts which are designated outbound mailers for the respective domain. Note that multiple domains can be used via additional "include" entries. However, you can only include up to 10 domains. So here is a breakdown of each mechanism:
all : always matches and is typically seen at the end of a record
ip4 : denotes an ipv4 host/range
ip6 : denotes an ipv6 host/range
a : A records for domain are tested; A record must match client IP exactly;
mx : all A records for domain are tested in order of MX priority; if client IP is found among them, then the mechanism matches
ptr : hostname/s for client IP are looked up using PTR queries; at least one of the A records for PTR hostname must match;
exists : performs a query on the provided domain;
include : specified domain is searched for a match;
Mechanisms are typically prefixed with one of four qualifiers:
+ (Pass) – (Hard Fail) ~ (SoftFail) ? (Neutral)
It is best practice to use either ~all or -all at the end of an SPF record to explicitly indicate what the result should be when no match is found.
SPF also has modifiers, redirect & exp.
redirect modifier : takes a domain value. If there is no SPF record for the domain, the result is unknown.
exp modifier = also takes a domain value. If the evaluation of an SPF record fails with something like "-all", & the exp modifier is present, then an explanation is returned.
Next I will cover what the evaluation of an SPF record results may be:
None: either no valid DNS domain name was found, or no SPF record was found on the domain;
Neutral: it's not stated whether the client IP address is allowed;
Pass: the client IP address is allowed;
Fail: the client IP address is not allowed;
Softfail: the client IP address is probably not allowed;
Temperror: the SPF module encountered a transient (network) error while performing the check;
Permerror: the domain’s published records could not be correctly interpreted. This signals an error condition that definitely requires DNS operator intervention to be resolved.
Note that when no qualifier is prepended to the SPG mechanism, it defaults to "+" (pass).
Now I will breakdown a very simple SPF record example so we can understand the components used:
"v=spf1: ip4:1.1.1.1 include:example.com -all"
This example SPF record essentially states the following: version 1, specifies 1.1.1.1 as the host allowed to send emails on behalf of the domain, search & include example.com domain for a match, & hard fail for no matches.
Here is an in depth example of SPF verification. The example shows that two identities are/were verified by SPF:
Received-SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain of
united.5765@envfrm.rsys2.com designates 12.130.136.195 as
permitted sender) identity=mailfrom;
client-ip=12.130.136.195; receiver=mx1.hc4-93.c3s2.smtpi.com;
envelope-from="united.5765@envfrm.rsys2.com";
x-sender="united.5765@envfrm.rsys2.com";
x-conformance=sidf_compatible; x-record-type="v=spf1"
Received-SPF: None (mx1.hc4-93.c3s2.smtpi.com: no sender
authenticity information available from domain of
postmaster@omp.news.united.com) identity=helo;
client-ip=12.130.136.195; receiver=mx1.hc4-93.c3s2.smtpi.com;
envelope-from="united.5765@envfrm.rsys2.com";
x-sender="postmaster@omp.news.united.com";
x-conformance=sidf_compatible
There are tons of tools that aide in verifying SPF records. However, a quick and easy way is via: Open command prompt-->nslookup-->set type=txt-->enter domain name
Example:

The next little piece I want to share is how SPF verification relates to the ESA from a very high level. SPF verification is configured in mail flow policies. Per Cisco, the easiest way is to globally turn it on in the respective listener. Remember that the SPF verification only verifies the message and will then insert a set of headers for each SPF check performed. Once the configured mail flow policies verify a message, there is a configured action to be taken.
Lastly, here are a few good-to-knows:
SPF records cannot have more than 255 characters
SPF publishers must add a record to each hostname or subdomain containing an A or MX record
There are tons of SPF record generators out there can help with setting up a record properly
Thanks for checking this post out. See the <esa> tag for more. Cheers!