Install a New Linux OS On a Dell Wyse 3040

Install a New Linux OS On a Dell Wyse 3040
Adding an NVMe Drive to a Raspberry Pi 5

Adding an NVMe Drive to a Raspberry Pi 5
Fixing VS Code Remote Node Not Found Error

Fixing VS Code Remote Node Not Found Error
Convert a Wii U Dock to USB C

Convert a Wii U Dock to USB C
Fixing a Stuck ‘A’ Button on a PDP Xbox One Controller

Fixing a Stuck ‘A’ Button on a PDP Xbox One Controller
Repairing a Faulty Motherboard

Repairing a Faulty Motherboard

Protect Your Email Domain with SPF

Content:

When running your own email server, it’s important to add as many security features as you can. This is to both protect your server, and keep your domain off of blacklists, which would classify your emails as spam.

SPF, or Sender Policy Framework, is one protective feature you can add to your domain. Let’s take a closer look at SPF, and see how you can add an create an SPF record.

Why Do You Need SPF?

SMTP allows anyone to send an email, claiming to originate from any email address.

If you have telnet set up, you can try this yourself. Add an email address you don’t control as the ‘mail from‘ field, and see what your recipient receives. This is often used by spammers to try and make their emails seem legitimate.

This is known as ‘spoofing’. Spoofing is the act of sending an email which claims to originate from a domain the sender doesn’t control. For example, if I send an email claiming to be from bill.gates@microsoft.com, this would be classed as spoofing.

With SPF set up, it’s no longer possible for anyone to spoof your domain. The SPF record ties the IP address of your mail server to the sending domain, marking emails sent by your server as legitimate. Emails sent from another IP addresses can therefore be identified as illegitimate.

This does require the receiving server to actually check the SPF record, but all of the major email providers will be set up to do this. Generally, emails failing the SPF check will be marked as spam.

SPF is also a prerequisite to adding another anti-spoofing feature, DMARC. Learn more about DMARC in our article here.

Creating an SPF Record

SPF is actually very simple to set up. All you need to know are the IP address(es) your email server is using – if you’re using both IPv4 and IPv6 addresses, you’ll need both.

For this example, we’ll be using 123.45.67.89 (IPv4), and abcd:123:456:7890::1 (IPv6).

The SPF record has 3 parameters we’ll need to add – 4 if you’re using both IPv4 and IPv6. An example of an SPF record is as follows:

v=spf1 ip4:123.45.67.89 ip6:abcd:123:456:7890::1 -all

Let’s break this down.

The first parameter, v, is the SPF version number. Set this to spf1.

Next come the IP address(es). Each address has a prefix, either ip4 (IPv4), or ip6 (IPv6), followed by a colon. Add as many IP addresses as you have – each needs to be a separate entry, you can’t chain addresses together.

For example, for two IPv4 addresses, write

ip4:123.45.67.89 ip4:123.45.67.90

The final parameter will give a hint to mail servers reading the record on how to respond to a failed SPF check.

-all is considered a hard fail. In this instance, the mail server is advised to discard the email, preventing it from reaching the mailbox. Replacing the hyphen with a tilde (~) changes the fail to a soft fail. In this case, the server is advised to mark the message as spam.

In reality, this will mean little – the receiving mail server will have its own rules to manage SPF checking. It doesn’t really matter which you choose, though I tend to go for the hard fail option.

Once you’ve got your record content ready, you need to log in to your domain hosting account.

The SPF record will usually be found with your DNS records. Create a new TXT record, and add your record content. With that saved, your record has been created.

Testing the Record

Once the record has been added, it’s a good idea to test it. You can test your record using MX Toolbox – ensure the ‘SPF Record Lookup’ option is selected from the drop down list.

Simply enter your domain in the box, and run the test.

SPF result
Successful SPF test result

The tester breaks down the record, so if there are any problems, you’ll be able to see exactly where the problem lies. The most likely issues will come from inputting the IP addresses incorrectly.

If the record comes back green, you’re set up correctly – your email domain now has some protection set up against spoofing.

Updating Your Record

One thing to keep in mind is that your SPF record will need updating if your IP address changes. If you’re using a VPS, this shouldn’t be an issue. If you’re hosting a server on a residential connection, however, it’s something you’ll have to be mindful of.