Home | Sitemap | Recent Changes | Login search terms Search
Sender Policy Framework
SPF Record Syntax
Note: This page serves as an introduction and quick overview of SPF mechanism syntax.
For the complete and definitive picture, please see the specification.
Domains def ine zero or more mechanisms. Mechanisms can be used to
describe the set of hosts which are designated outbound mailers f or the
domain.
all | ip4 | ip6 | a | mx | ptr | exists | include
Domains may also def ine modifiers. Each modif ier can appear only once.
redirect | exp
Mechanisms
Mechanisms can be pref ixed with one of f our qualif iers:
"+" Pass
"" Fail
"~" Sof tFail
"?" Neutral
If a mechanism results in a hit , its qualif ier value is used. The def ault qualif ier
is "+", i.e. "Pass". For example:
"v=spf1 -all"
"v=spf1 a -all"
"v=spf1 a mx -all"
"v=spf1 +a +mx -all"
Mechanisms are evaluated in order. If no mechanism or modif ier matches, the
def ault result is "Neutral".
If a domain has no SPF record at all, the result is "None". If a domain has a
temporary error during DNS processing, you get the result "TempError" (called
"error" in earlier draf ts). If some kind of syntax or evaluation error occurs (eg.
the domain specif ies an unrecognized mechanism) the result is "PermError"
(f ormerly "unknown").
Evaluation of an SPF record can return any of these results:
Result Explanation Intended
action
Pass The SPF record designates the host to be
allowed to send
accept
Fail The SPF record has designated the host as NOT reject
The SPF Project
News
Press Releases
Project Agenda
About Us
The SPF Council
Contact Us
Documentation
FAQ
SPF Record Syntax
Hosted Sof tware
Specif icat ions
Implementations
Support
Forums
Tools
being allowed to send
Sof tFail The SPF record has designated the host as NOT
being allowed to send but is in transit ion
accept but
mark
Neutral The SPF record specif ies explicit ly that nothing
can be said about validity
accept
None The domain does not have an SPF record or the
SPF record does not evaluate to a result
accept
PermError A permanent error has occured (eg. badly
f ormatted SPF record)
unspecif ied
TempError A transient error has occured accept or
reject
The "all" mechanism (edit)
all
This mechanism always matches. It usually goes at the end of the SPF record.
Examples:
"v=spf1 mx -all"
Allow domain's MXes to send mail f or the domain, prohibit all
o thers.
"v=spf1 -all"
The domain sends no mail at all.
"v=spf1 +all"
The domain owner thinks that SPF is useless and/or doesn't
care.
The "ip4" mechanism (edit)
ip4:
ip4:/
The argument to the "ip4:" mechanism is an IPv4 network range. If no prefix
length is given, /32 is assumed (singling out an individual host address).
Examples:
"v=spf1 ip4:192.168.0.1/16 -all"
Allow any IP address between 192.168.0.1 and 192.168.255.255.
The "ip6" mechanism (edit)
ip6:
ip6:/
The argument to the "ip6:" mechanism is an IPv6 network range. If no prefix
length is given, /128 is assumed (singling out an individual host address).
length is given, /128 is assumed (singling out an individual host address).
Examples:
"v=spf1 ip6:1080::8:800:200C:417A/96 -all"
Allow any IPv6 address between 1080::8:800:0000:0000 and
1080::8:800:FFFF:FFFF.
"v=spf1 ip6:1080::8:800:68.0.3.1/96 -all"
Allow any IPv6 address between 1080::8:800:0000:0000 and
1080::8:800:FFFF:FFFF.
The "a" mechanism (edit)
a
a/
a:
a:/
All the A records f or domain are tested. If the client IP is f ound among them,
this mechanism matches.
If domain is not specif ied, the currentdomain is used.
The A records have to match the client IP exactly, unless a prefixlength is
provided, in which case each IP address returned by the A lookup will be
expanded to its corresponding CIDR pref ix, and the client IP will be sought
within that subnet.
"v=spf1 a -all"
The currentdomain is used.
"v=spf1 a:example.com -all"
Equivalent if the currentdomain is example.com.
"v=spf1 a:mailers.example.com -all"
Perhaps example.com has chosen to explicit ly list all the
outbound mailers in a special A record under
mailers.example.com.
"v=spf1 a/24 a:offsite.example.com/24 -all"
If example.com resolves to 192.0.2.1, the entire class C of
192.0.2.0/24 would be searched f or the client IP. Similarly f or
of f site.example.com. If more than one A record were returned,
each one would be expanded to a CIDR subnet.
The "mx" mechanism (edit)
mx
mx/
mx:
mx:/
All the A records f or all the MX records f or domain are tested in order of MX
priority. If the client IP is f ound among them, this mechanism matches.
If domain is not specif ied, the currentdomain is used.
The A records have to match the client IP exactly, unless a pref ix length is
provided, in which case each IP address returned by the A lookup will be
expanded to its corresponding CIDR pref ix, and the client IP will be sought
within that subnet.
Examples:
"v=spf1 mx mx:deferrals.domain.com -all"
Perhaps a domain sends mail through its MX servers plus
another set of servers whose job is to retry mail f or def erring
domains.
"v=spf1 mx/24 mx:offsite.domain.com/24 -all"
Perhaps a domain's MX servers receive mail on one IP address,
but send mail on a dif f erent but nearby IP address.
The "ptr" mechanism (edit)
ptr
ptr:
The hostname or hostnames f or the client IP are looked up using PTR
queries. The hostnames are then validated: at least one of the A records f or a
PTR hostname must match the original client IP. Invalid hostnames are
discarded. If a valid hostname ends in domain, this mechanism matches.
If domain is not specif ied, the currentdomain is used.
If at all possible, you should avoid using this mechanism in your SPF record,
because it will result in a larger number of expensive DNS lookups.
Examples:
"v=spf1 ptr -all"
A domain which direct ly contro ls all its machines (unlike a dialup
or broadband ISP) allows all its servers to send mail. For
example, hotmail.com or paypal.com might do this.
"v=spf1 ptr:otherdomain.com -all"
Any server whose hostname ends in otherdomain.com is
designated.
The "exists" mechanism (edit)
exists:
Perf orm an A query on the provided domain. If a result is f ound, this
constitutes a match. It doesn't matter what the lookup result is – it could be
127.0.0.2.
When you use macros with this mechanism, you can perf orm RBLstyle
reversed IP lookups, or set up peruser exceptions.
Examples:
In the f o llowing example, the client IP is 1.2.3.4 and the currentdomain
is example.com.
"v=spf1 exists:example.com -all"
If example.com does not resolve, the result is f ail. If it does
resolve, this mechanism results in a match.
The "include" mechanism (edit)
include:
The specif ied domain is searched f or a match. If the lookup does not return a
match or an error, processing proceeds to the next direct ive. Warning: If the
domain does not have a valid SPF record, the result is a permanent error.
Some mail receivers will reject based on a PermError.
Examples:
In the f o llowing example, the client IP is 1.2.3.4 and the currentdomain
is example.com.
"v=spf1 include:example.com -all"
If example.com has no SPF record, the result is PermError.
Suppose example.com's SPF record were "v=spf 1 a all".
Look up the A record f or example.com. If it matches 1.2.3.4,
return Pass.
If there is no match, other than the included domain's "-all", the
include as a whole f ails to match; the eventual result is st ill Fail
f rom the outer direct ive set in this example.
Trust relationships — The "include:" mechanism is meant to cross
administrat ive boundaries. Great care is needed to ensure that "include:"
mechanisms do not place domains at risk f or giving SPF Pass results to
messages that result f rom cross user f orgery. Unless technical mechanisms
are in place at the specif ied otherdomain to prevent cross user f orgery,
"include:" mechanisms should give a Neutral rather than Pass result. This is
done by adding "?" in f ront of "include:". The example above would be:
"v=spf1 ?include:example.com -all"
In hindsight, the name "include" was poorly chosen. Only the evaluated result
of the ref erenced SPF record is used, rather than acting as if the ref erenced
SPF record was literally included in the f irst. For example, evaluating a "-all"
direct ive in the ref erenced record does not terminate the overall processing
and does not necessarily result in an overall Fail. (Better names f or this
mechanism would have been "if pass", "onpass", etc.)
Modifiers
Modif iers are optional. A modif ier may appear only once per record. Unknown
modif iers are ignored.
The "redirect" modifier (edit)
redirect=
The SPF record f or domain replace the current record. The macroexpanded
domain is also substituted f or the currentdomain in those lookups.
Examples:
In the f o llowing example, the client IP is 1.2.3.4 and the currentdomain
is example.com.
"v=spf1 redirect=example.com"
If example.com has no SPF record, that is an error; the result is
unknown.
Suppose example.com's SPF record was "v=spf 1 a all".
Look up the A record f or example.com. If it matches 1.2.3.4,
return Pass.
If there is no match, the exec f ails to match, and the all value is
used.
The "exp" modifier (edit)
exp=
If an SMTP receiver rejects a message, it can include an explanation. An SPF
publisher can specif y the explanation string that senders see. This way, an
ISP can direct nonconf orming users to a web page that provides f urther
instructions about how to conf igure SASL.
The domain is expanded; a TXT lookup is perf ormed. The result of the TXT
query is then macroexpanded and shown to the sender. Other macros can be
used to provide an customized explanation.
Edit text of this page | View other revisions
Last edited 20080629 14:49 (UTC) by Julian Mehnle (dif f )
Unless noted otherwise, all content on this website is duallicensed under the GNU GPL v2
and the Creative Commons CC BYSA 2.5.
The openspf.org domain name was donated by James Couzens, and related domain
names by John Pinkerton. Thanks!