What is an SPF record and how does it help against spam

Until after the turn of the millennium, there were no procedures by which a mail client or server could definitively authenticate and verify the sender of a message. To close this security gap and combat the increasing sending of SPAM, the Sender Policy Framework (SPF) was initially developed. Other procedures were built on this initially unofficial standard: first DomainKeys Identified Mail (DKIM) and later the specification initiated by Google, Microsoft, Facebook, and Paypal, among others, Domain-based Message Authentication, Reporting and Conformance (DMARC). The stated goal of SPF, DKIM, and DMARC is to prevent the sending of SPAM and emails with forged senders (spoofing) by controlling the sending mail servers in a collaborative manner.

What characteristics does SPF have?

This procedure, like DKIM and DMARC, uses similar methods to securely identify the senders of an email and exclude forgeries and SPAM. These methods are based on comparing the sender's IP address with a list of authorised mail servers (whitelist) stored in a TXT record associated with a domain. The advantages of SPF and the extensions DKIM and DMARC built upon it include:

• Authentication and verification of senders based on the servers
• Support for external servers outside the Domain Name System (DNS)
• Filtering of authenticated clients based on a whitelist
• Classification of emails according to their origin
• Sorting of messages as SPAM based on individual rules
• Protection for domain owners against the abusive use of their address

SPF laid the foundation on which DKIM and DMARC developed their own procedures and expanded the capabilities for detecting and handling SPAM. While SPF evolved from an unofficial standard after the turn of the millennium, which was adopted due to its high functionality, DKIM and DMARC are specifications developed by large corporations to specifically prevent the unauthorised sending of emails - often including SPAM and malware - under false identities.

How do SPF, DKIM, and DMARC detect forged emails and SPAM?

When sending an email, mail servers record not only details such as the sender, recipient, subject line, and content, but also the IP address of the server establishing a connection. These details are passed on, allowing them to be logged in the extended information, providing an exact record of the "post route". To identify spam and fake emails, SPF, DKIM, and DMARC compare this route, specifically the first address, with officially registered mail servers for that domain.

A simple comparison of the A Record - the web server responsible for a domain - proves inadequate for detecting spam in this context, as large websites separate their infrastructure for load balancing reasons. Therefore, the information relevant to SPF, DKIM, and DMARC is stored in an additional entry on a nameserver. For this purpose, these specifications utilise the TXT Record, freely available for use in the Domain Name System (DNS). A corresponding TXT Record indicates the supported variant and its version through a specific abbreviation like v=spf1 for SPF, v=dmarc1 for DMARC, and v=DKIM1 for DKIM. When a mail server queries the DNS and finds a hint regarding spam, it analyses the following parameters and initiates a corresponding spam and authenticity verification process.

SPF, DMARC, and DKIM consider the original sender as a significant parameter and verify if this server is a legitimate sender for a domain. If it cannot authenticate based on the TXT Record, SPF, DMARC, and DKIM allow for a response - either the message is rejected, automatically marked as spam, or flagged with a warning that the sender's integrity, for example through DKIM, is not guaranteed.

Image: Gerd Altmann on Pixabay