An SPF record checker is a diagnostic tool that checks your SPF record to ensure it’s valid and free of syntactical and configurational errors. Let’s see how it checks if the SPF record is set up correctly and prevents phishing and spoofing attacks attempted in your business’ name.
We are starting by discussing the basics.
What is an SPF Record?
An SPF record is a TXT DNS record that includes all the IP addresses permitted to send emails on your domain’s behalf, along with instructions for recipients’ servers on how to treat emails failing SPF authentication checks. Using a reputed and efficient SPF record checker, you can ensure having a non-erroneous, properly configured, and syntactically correct SPF record for your domain.
This protects you from phishing and spoofing attacks attempted by hackers in your name. They create genuine-looking fake emails asking recipients (usually your prospects, clients, or employees) to share sensitive information or make financial transactions. If successful, this can badly hamper your brand’s image, and you can even fall into legal issues.
SPF Record Example
A TXT SPF record usually belongs to a public DNS server and is readily accessible by external users and email systems for running authentication checks. Here’s an SPF record example-
For Microsoft 365
v=spf1 include:example.outlook.com -allFor Google Mail
v=spf1 include:_example.google.com ~allv=spf1 include:_spf.google.com ~allv=spf1 include:_spf.google.com ~all
What Does an SPF Record Do?
Before we understand how to check if an SPF record is set up correctly, let’s know what does an SPF record do.
SPF check online isn’t a complicated process. When an email is sent, the recipient’s server checks for its Return-Path. Now suppose the path is abc@example.com. This is what follows next-
- The recipient’s server retrieves the SPF record for the example.com domain from the DNS.
- Then it runs verification checks using the retrieved SPF record for all the IP addresses enlisted to send emails from the example.com domain.
- If the sender’s IP address belongs to the list, the SPF check passes. It means the recipient’s server is confident that the email was sent from a trusted sending server and will continue its processing.
- However, if the IP address doesn’t belong to the lost, the SPF check fails, and the message is considered illegitimate. Such emails are processed as per receiving server’s failure process.
What is an SPF Record Checker?
An SPF record checker is a diagnostic tool that examines your record to verify all aspects of it. It’s responsible for keeping your record syntactically accurate and reliable for performing authentication exercises. It checks if an SPF record is valid by locating your domain’s SPD record in the DNS database. This is followed by displaying and highlighting errors, if any.
Some common SPF record checkers are MXToolbox, Kitterman, and Mimecast DMARC Analyzer.
How Does an SPF Record Checker Work?
An SPF record checker works by analyzing the following-
Presence of an SPF Record for Your Domain
The foremost step an SPF record checker take is to verify if an SPF TXT record exists for the queried domain. An error is returned if the SPF record isn’t found.
Multiple SPF Records
No more than one SPF record should exist for a domain; otherwise, a permerror occurs. An SPF record checker will warn you against the presence of multiple SPF records.
SPF Syntax
A syntax error returns when there are one or more misconfigured mechanisms failing to meet the guidelines stated as per RFC 7208. Common SPF syntax errors are:
- Mechanisms including a numerical value when they require a domain or hostname.
- Wrong format of IP addresses for ipv4 and ipv6.
- Inclusion of “mx”, “a”, “ptr”, “exists”, “redirect”, and “include” mechanisms.
DNS Lookup Limit
There’s a maximum limit of 10 DNS lookups to eliminate the chances of overload on the recipients’ resources like CPU memory and bandwidth. The “include”, “a”, “mx”, “ptr”, and “exists” mechanisms and the “redirect” modifier count against this limit. However, the “all,” “ip4,” and “ip6” mechanisms and the “exp” modifier do not count.
Use of a “ptr” Mechanism
The use of the ptr mechanism is discouraged due to its unreliability. That’s why it’s deprecated, and an A record is used instead.
“+all” Qualifier
The “+all” tag makes your SPF record overly permissible by allowing anyone on the internet to send emails on your behalf. This is discouraged as it makes your domain and business more likely to become a victim of a phishing or spoofing attack.
In this case, the SPF record checker will return a warning.
Use of Record Termination
The use of the ‘+all’ tag is considered a record-terminating element. So, instead, its alternative, i.e. the ‘redirect’ modifier, is used. The SPF record checker will return with a warning if any other terminators are found.
Any Character After the ‘all’ Qualifier
There shouldn’t be any character after the ‘all’ qualifier. The SPF record checker will notify if there are any characters following it.
‘SPF’ Type DNS
Since the ‘SPF’ type DNS is obsolete, you’ll get an error on performing validations. While checking if the SPF record is set up correctly, a credible tool always highlights if the SPF record isn’t of TXT type.
Maximum Void Lookups
There shouldn’t be more than 2 void lookups.
MX Resource Records
The use of the mx (Mail Exchange) mechanism is discouraged, and an SPF record checker reports it.
Null Values
To check if the SPF record is correct, an SPF record checker looks for null values causing email deliverability issues. In some situations, these values are added purposely to avoid sending emails from a particular domain.
SPF Best Practices
Now that you know what is an SPF record check and how it works, let’s check out some SPF best practices to avoid errors and ensure optimum protection against most email-based cybercrimes.
- Don’t add include sources if you’re unsure if the Return-Path domain is yours.
- Use either “~all” or “-all” mechanisms and avoid using “+all” or “?all”: Both “~all” and “-all” operate the same way by instructing recipients how to deal with SPF failures.
- Avoid using the “redirect” mechanism as it restricts you from adding more sources.
- Use the “include” mechanism for adding all authorized IP addresses.
- Don’t use “mx” and “a” mechanisms when your domain is hosted on third-party mail service providers like Zoho Mail.
- Refrain from using the deprecated “ptr” tag.
- Use the SPF flattening service if you are unable to stay within the 10 DNS lookup limit.
- Use an SPF record checker to ensure your record is well-maintained and updated, especially if you make a shift in your email infrastructure.
SPF Record Results
Here’s what you can expect out of SPF record results-
- Pass – The sender is permitted to send emails from the domain.
- Fail – The sender is not authorized to send emails from the domain.
- SoftFail – The sender can’t send messages on behalf of you using the domain during that transition.
- Neutral – Nothing can be said about validity.
- None – No SPF record was found for the domain.
- PermError – A permanent error has occurred.
- TempError – A transient error has occurred
Final Words
An SPF record checker diagnoses your SPF record to check all aspects of it. It maintains your record for syntactical accuracy and reliability. It checks if there is more than one record for your domain, if you use deprecated or discouraged mechanisms if your record exceeds the 10 DNS lookup limit, etc.
If you want to resolve the 10 DNS lookup issue using the SPF flattening service, then start today by clicking here.
