What is SPF and how does it work?

Also available: Deutsch (Deutschland) Français (France) Italian

To avoid fraudulent senders and phishing abuse, you can create what are known as SPF records for a domain. In this article we will answer frequently asked questions on the subject of "SPF".

What is SPF?

SPF stands for "Sender Policy Framework" and is a method for e-mail authentication. SPF determines which mail servers or IP addresses are allowed to send e-mails with a domain. When an e-mail is received, the recipient's server calls up the DNS zone of the sender domain. It then compares whether the sender's server matches the information in the SPF record.

How does SPF work?

Let’s take the example of the domain name your-own-domain.ch.

The following SPF record is available in the DNS zone for this domain:

"v=spf1 mx ip4:217.26.52.22/23 -all"

This record can have the type TXT or SPF. This SPF record authorizes the mail server in the subnet 217.26.52.22/23 to send e-mails with your domain @your-own-domain.ch.

If you now send an e-mail via this domain, the recipient's incoming mail server checks whether the outgoing mail server is actually authorized to send e-mails via this domain. To do this, the mail server compares the IP address of the sending mail server with the one in the domain's SPF record.

If the check is successful, the e-mail is delivered. However, if the check fails, the e-mail is rejected, as the SPF record specifies that only the server with the IP address 217.26.52.22/23 may send e-mails via this domain and all others may not (-all).

How do I make sure that my e-mails are received?

To ensure that your e-mails are received wherever possible, we recommend that you use the valid outgoing mail server specified by your web hosting provider. This will reduce the risk of the recipient rejecting your e-mails due to a negative SPF record check.

As a Hostpoint customer, please use these mail servers.

How can I view an SPF record?

You can view an SPF record in different ways, for example via a website like this one or via the "dig" command:

dig spf your-own-domain.ch

dig txt your-own-domain.ch

Information on the structure and content of an SPF record can be found here.

How do I set an SPF record?

You can find out how to set an SPF record for your domain in this article.

Problems with GMX

Problems often occur especially when sending e-mails with an e-mail address from GMX.

The SPF record then looks like this, for example:

"v=spf1 ip4:213.165.64.0/23 ip4:74.208.5.64/26  ip4:212.227.15.0/25 ip4:212.227.17.0/27 ip4:74.208.4.192/26 ip4:82.165.159.0/24 -all"

GMX therefore wants customers to send e-mails only via the listed GMX outgoing mail servers. This can be seen in the example by the addition -all. If a customer uses an outgoing mail server other than those listed, the SPF check will fail at the recipient's end.

Hostpoint will reject the e-mail in this case. Therefore, please use the outgoing mail servers of GMX to send e-mails with your @gmx.ch or @gmx.net e-mail address.

Problems with e-mail forwarding

With e-mail forwarding, the route of the e-mail is longer as it takes a detour via the server on which the forwarding is set up.

This means that a new mail server - namely the mail server on which the forwarding is set up - delivers the e-mail and no longer the sender's outgoing server.

In such a case, the SPF record check fails because the IP address of the forwarding server is not listed in the SPF record of the sender domain.

Example:

Sender: This email address is being protected from spambots. You need JavaScript enabled to view it.
Recipient: This email address is being protected from spambots. You need JavaScript enabled to view it.
Forwarding to: This email address is being protected from spambots. You need JavaScript enabled to view it.

When the e-mail arrives at Hostpoint, the sender is still an @gmx.ch address, but the mail server that wants to deliver the e-mail is myhost.ch and does not comply with GMX's SPF record restrictions. In this case, Hostpoint will reject the e-mail.

The following measures are possible solutions:

  • The SPF record is "loosened", for example by replacing the qualifier -all with the qualifier ~all or by including additional mail servers.
    The problem with this option: How do you know which of the recipients work with e-mail forwarding? It is impossible to include all servers and the effort required for ongoing maintenance would be enormous.

  • The SPF record is deactivated.
    This would solve the problem. However, the SPF record was originally set up to prevent phishing and abuse. Deactivating the SPF record would also remove this desired effect.

  • The forwarding mail server rewrites the e-mail using SRS (Sender Rewriting Scheme), so that the SPF check is positive on the next delivery.

Hostpoint uses the SRS solution. This means that the e-mail is automatically rewritten when it is forwarded. However, this only applies if the e-mail is forwarded by Hostpoint.

Please use this form only to provide feedback on the above guide.
For support requests please use this form instead.

 

Unable to find what you were looking for?

Our support experts are happy to assist you personally!

CONTACT SUPPORT

 

© 2001 - Hostpoint AG