What is SPF?
SPF, or Sender Policy Framework, is an authentication protocol designed to validate the “HELO” and “MAIL FROM” fields in an email transmission. It provides a method whereby a domain administrator can explicitly authorize which hosts are allowed to send mail for a domain, which can be verified by the recipient’s mail server. The current SPF standard is published in RFC 7208.
How does SPF work?
SPF is published as a DNS TXT record. The recipient then checks the IP address of the sending mail server against the SPF record for the HELO/MAIL FROM domain to confirm that the IP address is authorized by the SPF record. An example SMTP transaction might look like this:
220 mx.google.com ESMTP c125si9817506pfg.356 - gsmtp
EHLO mta-c-24-39.infusionmail.com
250-mx.google.com at your service, [208.76.24.39]
250-SIZE 157286400
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8
MAIL FROM: <mailer@infusionmail.com>
250 2.1.0 OK c125si9817506pfg.356 - gsmtp
RCPT TO: <recipient@gmail.com>
250 2.1.5 OK c125si9817506pfg.356 - gsmtp
DATA
354 Go ahead c125si9817506pfg.356 - gsmtp
FROM: sales@mydomain.com
TO: recipient@gmail.com
Subject: Check out our hot deals this summer!
40% off your next order if you buy today!
.
250 2.0.0 OK 1507046193 c125si9817506pfg.356 - gsmtpThe HELO address in this example is mta-c-24-39.infusionmail.com and the MAIL FROM address in this example is mailer@infusionmail.com. Therefore, the domain name that will be checked for SPF is infusionmail.com. The IP address that sent the message is 208.76.24.39.
Upon receiving the message, Google will do a DNS lookup on infusionmail.com to verify if it has an SPF record published. In this case, it does:
v=spf1 a:infusionsoft.com ip4:208.76.24.0/22 ip4:70.166.203.186 ip4:70.166.203.176/28 ip4:70.166.189.64/29 -all
SPF record syntax is explained in-depth at http://www.openspf.org/SPF_Record_Syntax. Let’s examine what this record means:
v=spf1
This is the version of SPF being used. Currently, only one version of SPF exists - spf1. All SPF records will start with this string.
a:infusionsoft.com
The IP address published in the DNS A record for infusionsoft.com is allowed to send mail for infusionmail.com. Google would do a DNS lookup to resolve this IP address:
;; ANSWER SECTION:
infusionsoft.com. 600 IN A 54.153.24.91Therefore, mail coming from 54.153.24.91 is defined as allowed by this SPF record.
ip4:208.76.24.0/22 ip4:70.166.203.186 ip4:70.166.203.176/28 ip4:70.166.189.64/29
These are IP addresses and IP ranges that are explicitly allowed by the SPF record. The IP ranges are listed in CIDR notation, defined in RFC 4632. The IP address from our example, 208.76.24.39, falls within the range specified by the ip4:208.76.24.0/22 directive. Therefore, our example email passes SPF validation.
-all
This tells the receiving mail server what to do with mail from infusionmail.com that does not pass SPF validation. In this case, the SPF record requests that the receiving mail server reject all email from infusionmail.com that does not pass validation.
We can see by looking at the email headers that SPF validation was successful for our example message:
Received: from mta-c-24-39.infusionmail.com (mta-c-24-39.infusionmail.com. [208.76.24.39])
by mx.google.com with ESMTP id c125si9817506pfg.356.2017.10.03.08.55.42
for <recipient@gmail.com>;
Tue, 03 Oct 2017 08:56:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of mailer@infusionmail.com designates 208.76.24.39 as permitted sender) client-ip=208.76.24.39;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of mailer@infusionmail.com designates 208.76.24.39 as permitted sender) smtp.mailfrom=mailer@infusionmail.comDo I need to set up SPF with Infusionsoft?
No. The HELO and MAIL FROM address used by Infusionsoft to deliver emails on your behalf is always infusionmail.com. We handle the SPF for that domain name, so there is no need for you to set up an SPF record that authorizes our servers.
If I wanted to set up SPF anyway, how would I do so?
If you do not have an SPF record already, then you will need to create one. If you do have an existing SPF record, then you will need to modify it, as the SPF protocol only supports having one record published. This guide walks you through configuring your SPF record: