Email

This is a work in progress, and not quite ready for primetime

Email Authentication Tools

About SPF

An SPF record is a DNS record that has to be added to the DNS zone of your domain. In this SPF record you can specify which IP addresses and/or hostnames are authorized to send email from the specific domain.

The mail receiver will use the “envelope from” address of the mail (mostly the Return-Path header) to confirm that the sending IP address was allowed to do so. This will happen before receiving the body of the message. When the sending email server isn’t included in the SPF record from a specific domain the email from this server will be marked as suspicious and can be rejected by the email receiver.

What SPF doesn’t do

SPF is a great technique to add authentication to your emails. However it has some limitations which you need to be aware of.

• SPF does not validate the “From” header. This header is shown in most clients as the actual sender of the message. SPF does not validate the “header from”, but uses the “envelope from” to determine the sending domain

• SPF will break when an email is forwarded. At this point the ‘forwarder’ becomes the new ‘sender’ of the message and will fail the SPF checks performed by the new destination.

• SPF lacks reporting which makes it harder to maintain

Key technical points

• SPF record should not cause more than 10 DNS calls, including "includes", "mx" and "a" records

• You can directly insert IP address to reduce the number of look-ups

• Each SPF record cannot exceed 512 bytes, which is approximately 460 characters taking into account overhead (478 less the length of the record's hostname to be more exact.) In addition, each record can contain 2 text strings, each no longer than 255 characters.

• You only need to set an "all" flag on the primary SPF record.