Every organization is fighting a battle each day against the onslaught of email phishing, spamming, and other types of malicious emails. There is always a fine line to draw regarding the defenses you put into place and the intensity of these filters so that they do not start blocking legitimate company email. Office 365 does a phenomenal job analyzing the over 400 billion emails the service receives every month (April 2018), however there are basic email records you can setup that will further help you in these battles. In this blog, I will focus on SPF records. What are they, why do you want to implement them and how do you implement them?
There are three types of email related DNS records that you can easily create to help other organizations verify email sent for your organization is legitimate. On the flip side, there are records your email system can review to help determine the authenticity or level of trust of emails received from organizations sending email to you. These three records are:
SPF = Sender Policy Framework
DKIM = Domain Keys Identified Mail
DMARC = Domain Message Authentication Reporting and Conformance
Each of these types of email records have been around for five or more years, so they are not new. While these email DNS records are fairly simple to implement, their adoption rate is someone low.
SPF records is a TXT record placed into the root of the DNS domain. There is only ONE of these types of records. Below are formatting tips:
- The proper
formatting of an SPF record will always start with v=spf1 and the end of
the record will always be -all. The -all indicates that the list
is complete of authorized senders and that anyone else sending email as my
domain should not be trusted. Here are alternate endings:
- -all = Do not accept mail from anyone outside of this list. I recommend using this option.
- ~all = This is a soft fail. It means that recipients may accept mail from senders outside of this list, but they should be viewed as suspicious.
- ?all = this is neutral. I recommend never using this setting…what is the point?
- In between the start and the end of the record (between v=spf1 and -all) is a list of the places where you have authorized your email to come from.
- Use IP v4 addresses where needed
- Use service provider hostnames in your SPF records. As an example, if you have your email hosted by Microsoft Office 365, you will need to include the following text in your SPF record: include:spf.protection.outlook.com This record will include all of the hundreds if not thousands of IP addresses used for sending email in Office 365.
- If you are using a 3rd party marketing agency to send newsletters to your clients, for example, this agency will most likely be sending email as you. So, you will need to list their sending email servers (IP or hostname(s)) in your SPF record. Otherwise, most of this marketing email will be marked as spam by most email hosting companies.
Setup DNS SPF Records
One of the many great features if you are using Microsoft Office 365 and use GoDaddy as your DNS provider is the tight integration between both services. As you moved your email environment to Microsoft Office 365, one of the steps enabled the Office 365 service to automatically configure your MX and SPF records in GoDaddy. At the bottom of this page is a short video with recorded steps to add the SPF record in GoDaddy or to verify your records are setup correctly. Similar steps can be used to setup, verify, or edit records with other DNS providers.
Add Third Party Email Sender to Your SPF Record
There are cases where your Marketing or Human Resources departments want to send newsletters to your internal recipients that are sent by an external third party who specializes in these types of communications. For cases such as this, you will need to add that third party sender’s email sending information to your SPF record.
For example, let’s use Mailchimp.com as an example of a popular third party email sender. On their website, they have listed the proper SPF and DKIM record changes to make to make sure their email is accepted as legitimate and lands properly in user Inboxes. In our GoDaddy.com account, we need to edit the SPF record to include the mailchimp.com sending server of include:servers.mcsv.net. The short video below also describes how to make this change. Notice how there is only a space between include:servers.mcsv.net and the existing record of include:spf.protection.outlook.com. These records should never be separated by a comma, semicolon or any other separator other than a space.
Email SPF Records: Why and Proper Setup in Office 365