How to Prevent Email Spoofing Using SPF Records
Posted on Updated onAny programmer or server administrator knows how easy it is to spoof a sender’s address in an e-mail. In Java for example, I can just use the following lines to include a “from” address in my e-mail:
Message msg = new MimeMessage(mailSession);
msg.setFrom(new InternetAddress("mail@randomdomain.com"));
This might seem quite scary! Especially when it’s used with phishing e-mails telling you that your account has been suspended and that you need to call someone with your details immediately. Luckily, we have mechanisms to detect whether or not an e-mail has come from an authorized sender and most e-mail programs will immediately send fraudulent emails to the spam folder.
This is achieved via SPF records.
How do SPF Records Work?
SPF stands for “Sender Policy Framework”. It’s a way by which domain name owners specify the IP address or domain names of servers that are authorized to send e-mail on their behalf. So if a random person uses their personal server to send an e-mail purporting to be from Paypal with an e-mail address of “something@paypal.com”, the receiving client will check to see if the sending server’s IP address matches one of the authorized mail senders specified by Paypal. And since it won’t check out, the request will fail and the message goes to spam.
Domain owners specify authorized servers with a domain name entry that is called an “SPF Record”.
So we have the following steps:
- Domain owner specifies list of authorized IP address to send mail via an SPF record;
- Mail receiving software get the IP address of the server sending a specific e-mail message;
- Mail software then checks to see if the sender’s IP address matches the SPF record of the domain name.
This sounds great. So let’s look at how to set the SPF record of a given domain name.
Setting SPF Records
If you’re using a web hosting provider like SiteGround or Bluehost, setting the SPF record is very easy. These hosts automatically have a list of pre-authorized servers where your mail is likely to come from and you don’t have to specify them yourself. However, you can customize them if you have special needs.
For example in SiteGround, go to their cPanel and search for the icon labeled “Email Authentication” as shown here:
Once there, you’ll see a section on SPF with an “Enable” button like this:
Clicking that will automatically set your SPF record:
In my case, the SPF record has been set to:
v=spf1 +a +mx +ip4:107.6.163.194 ~all
We can test this using a tool like http://www.kitterman.com/spf/validate.html. By entering my domain name into the text box and searching, I get this result:
So I know my SPF record has been added.
Let’s take a look at what this means.
Deciphering the SPF Record
All SPF records are just basic text entries. They are identified by the starting characters:
v=spf1
The particular SPF record above breaks down like this:
- +a means to search all the “A” name domain records for the current domain and try to find a match;
- +mx means to search all the “A” records for the Mail Exchange (MX) records;
- +ip4 Allow all mails from this IP address to be sent;
- ~all In case none of the previous rules match, send back a “soft” fail. A negative (-) sign would be a “hard” fail.
Using the “include” Option
By using the “include” option in an SPF record, you can “borrow” the SPF records from another domain. For example, the web hosting company Bluehost maintains a comprehensive SPF record under the “bluehost.com” domain name. Here is the SPF record that it sets for all the domains that it manages:
v=spf1 a mx ptr include:bluehost.com ?all
What this means is that all domains under Bluehost can piggy back off of Bluehost’s list of approved mail servers. Here is the SPF record of paypal.com:
v=spf1 include:pp._spf.paypal.com include:3ph1._spf.paypal.com include:3ph2._spf.paypal.com include:3ph3._spf.paypal.com include:3ph4._spf.paypal.com include:3ph5._spf.paypal.com ~all
Paypal’s SPF record is nothing but a long list of “included” domain names. All the complexity is hidden behind these subdomains.
For hosts that don’t have an automatic SPF setup like SiteGround, remember that an SPF record is just an regular text record and is part of a doman’s zone file. Nothing fancy here. You can get the complete SPF record specification from this website: http://www.openspf.org/SPF_Record_Syntax. Use it to construct an SPF record that suits your needs.