Sender Policy Framework (SPF) is an email authentication method that detects spoofed sender addresses when an email is delivered.

SPF allows a receiving email server to verify that an email claiming to be from a particular domain was sent by an authorized IP address specified by the domain’s admin. The list of servers allowed to send an email and the IP addresses for each is published in that domain’s SPF records.

In RFC 7208, April 2014, SPF is defined as a “proposed standard.”

SPF record format

A TXT record is used to define an SPF record. TXT record is also one of the types of DNS records in which text can be specified. The value of a TXT record to represent an SPF record can be something like the following:

example.com.                114   IN    TXT   "v=spf1 a mx ip4:94.101.186.147 -all"

This record always starts with “v.” v stands for version and refers to the SPF version used. The only version provided for SPF so far is SPFv1. On the other hand, the top line specifies several different mechanisms for matching. Finally, in normal mode and without using the following characters, all mechanisms are checked, and all are applied:

• +: refers to the acceptance of the defined mechanism. In other words, the address or host specified in the mechanism is allowed to send an email. This is the default character among mechanisms in the SPF record definition line.
• -: This character means rejecting the defined mechanism. So, if this option is inserted before the mechanism, the address specified in the mechanism would not be allowed to send emails.
• ~ ‍: The mechanism is accepted, but the specified address is labeled non-compliant mail.
• ?: indicates that the mechanism is neither accepted nor rejected. The address or host matched by this mechanism may be accepted.

The mechanisms that can be used in the SPF record definition are:

• ip4: This mechanism is used to specify IP addresses allowed to send an email. If your email servers support IPv6, you can use ip6 instead of ip4.
• Include: Using this mechanism, it is possible to specify the email servers that are out of our control and management and provide email services. For example, include:_spf.google.com
• all: This expression refers to everything, and every address and host matches it. This expression is usually used at the end of other mechanisms to specify how to handle IP addresses that do not match any of the mechanisms defined in the line.
• all+: means that any server can use your domain to send an email.
• all-: If this expression is used at the end of a string containing multiple mechanisms, no IP or host other than the one specified in the line is allowed to send an email. If this option is used alone in the SPF record definition, no server is allowed to send emails.
• all~: Emails from servers other than those specified in other mechanisms are accepted but are labeled as non-compliant mail.
• a: This mechanism refers to all addresses within the A record.
• mx: This mechanism specifies all A records related to the MX record of each host.
• ptr: This mechanism sets the A records corresponding to the PTR record of each host.
• exists: using this mechanism, one or more domains can be defined as exceptions.

SPF Modifiers

Modifiers are a combination of name and value separated by =. Modifiers are usually placed at the end of the SPF record definition line and can only be used once in an SPF record definition:

• redirect: The redirect modifier is used to refer to the SPF of another record. This mechanism can be used when applying the same SPF record to multiple domains. Be careful that redirect can only be used when you have the management of another domain to which the redirect is done; otherwise, you must use the include mechanism. An example of how to use this mechanism is:

v=spf1 redirect=_spf.yourdomain.com

Setting SPF records in the ArvanCloud user panel

To register a sample record in the ArvanCloud panel, click on DNS records and create a new TXT record after selecting the domain from the user panel.

Common uses

Sending emails from authorized IPs

If you want only the web server on which you have enabled the email service to be allowed to send an email (for example, imagine the IP address of your web server that is allowed to send email is: 192.168.243.1) in the title section, the @ character and in the value section, Enter a phrase like the following:

v=spf1 ip4:192.168.243.1

At the end of the above statement, you can also use the +a and +mx options.

Sending an email from G suite

According to Google’s guide, the TXT record value should be set as follows:

v=spf1 include:_spf.google.com ~all

Also, if you use several domains other than Google, this value can be defined in one of the following two ways:

v=spf1 ip4:172.16.254.1 include:_spf.google.com ~all

Or

v=spf1 include:serverdomain.com include:_spf.google.com ~all

You can read the G suite guide in this field for more information.

Registering records using the API

curl --location --request POST 'https://napi.arvancloud.ir/cdn/4.0/domains/example.ir/dns-records' \

--header 'authority: napi.arvancloud.ir' \

--header 'accept: application/json, text/plain,*/*' \

--header 'authorization: API 1.2.3.4'-- \

--header 'content-type: application/json;charset=UTF-8' \

--header 'origin: https://panel.arvancloud.ir' \

--data-raw '{"type":"TXT","name":"@","cloud":true,"value":{"text":"v=spf1 a mx ip4:192.168.1.1 -all"},"upstream_https":"default","ip_filter_mode":{"count":"single","geo_filter":"none","order":"none"},"ttl":120}'

Bind Format of the filed record

example.com.          120   IN    TXT   "v=spf1 a mx ip4:192.168.1.1 -all"