How to check and read a Sender Policy Framework record for a domain
The SPF record is stored within a DNS database and is bundled with the DNS lookup information. You can manually check the Sender Policy Framework (SPF) record for a domain by using nslookup as follows:
- Open Command prompt (Start > Run > cmd)
- Type “nslookup -type=txt” a space, and then the domain/host name. e.g. “nslookup -type=txt google.com”
- If an SPF record exists, the result would be similar to:
“v=spf1 ip4:22.214.171.124/19 -all”
- If there are no results or if there is no “v=spf1” property, then there is a problem retrieving the record for the domain, or one does not exist.
How to read the SPF record:
- “v=spf1” – shows that the record is of type SPF (version 1)
- “ip4:126.96.36.199/19” – lists the IP network range of servers allowed to send emails for the domain. This can also be something like “mx:188.8.131.52” which indicates that this is the ip address for the MX record (email server). Usually there will just be “ip:” or “ip4:” listed, however.
- “-all ” is the part of the record that indicates what is recommended to do if the sending IP address does not match any of the ones in the record. This is determined by whomever publishes the SPF portion to the DNS record, such as the owner of the domain. For example: if you want to try to ensure that people do not forge your domain, you would likely put a “-all” to indicate that if any portion of the sending email does not match the record, you recommend to the recipient server to reject the email. This is what is referred to as a hard fail.
- Types of rejection levels:
- -all (reject or fail them – don’t deliver the email if anything does not match)
- ~all (soft-fail them – accept them, but mark it as ‘suspicious’)
- +all (pass regardless of match – accept anything from the domain)
- ?all (neutral – accept it, nothing can be said about the validity if there isn’t an IP match)
Most records will have a “~all” listed in the SPF record because the domain owner leaves room for the possibility of a new server getting created and might forget to update the SPF record with the new IP address of that server. This also allows for regular machines to send email without causing too much of an interruption.
Very large domains such as gmail.com have “?all” in their records to leave it up to the recipient to determine what to do with the email when received.
An SPF record may also include a “redirect” in the record, such as gmail’s:
This tells the receiving server to check the SPF record of google.com instead of gmail.com. An “include” in the record tells the receiving server to also consider the IP addresses listed in the SPF record of another domain to make a match for which servers can send email. This is commonly set up with multi-domain organizations. Those SPF records will be listed as such:
v=spf1 ip4:184.108.40.206/19 include:sunbeltsoftware.com include:monitis.com -all
source = www.gfi.com