The role of SPF records in DNS

SPF is a type of DNS record proposed to prevent spam. It is a TXT type record used to register a domain name for outgoing mail. All IP addresses. For example:

dig TXT 21cn.com 21cn.com. 27970 IN TXT "v=spf1 ip4:202.105.45.0/24 ip4:61.140.60.0/24 ip4:202.123.79.206 ip4:220.232.167.218 ip4:221.192.129.0/24 ip4:59.36.102.0/24 -all" Adding a TXT type record to the DNS record in the SPF format will increase the reputation of the domain name. It also prevents spam from spoofing the sender of the domain to send spam.

SPF is a DNS-related technology whose content is written in the txt type of DNS. The purpose of the mx record is to indicate to the sender what the mail server for a domain name is. The role of SPF is the opposite of mx, which indicates to the recipient that which mail servers are sent via a domain name.

It can be seen from the definition that the role of SPF is mainly anti-spam, mainly for spammers whose senders forge domain names.

Adding SPF records:

This method is very simple, as long as the SPF record can be added to the management interface provided by our DNS vendor. It can be set up (not all vendors will provide this setting, my domain name is registered on godaddy.com, you can set SPF records). When setting, add an SPF record, and then enter the domain name. If it is this domain, it can be represented by @. Then enter a value such as “v=spf1 ip4:67.202.107.106 -all” in VALUE. This value is divided into three parts:

(1) v=spf1 Description is a SPF v1 record

(2) ip4:67.202.107.106 Description The message will be sent from this declared IPv4 address. It can be an IP, or an IP segment. If there are multiple IPs or multiple IP segments, you can declare multiple ip4 records (such as “ip4:1.0.1.0/24 ip4:1.0.2.0/24″), separated by spaces. In addition, in addition to using IPv4, you can also have the following options:

1) ip6: Use IPv6 for authentication.

2) a: Use a domain name for authentication. This will cause an A RR query to the domain name server. It can be used in the form of a:domain, a:domain/cidr or a/cidr.

3) mx: Use DNS MX RR for authentication. The MX RR defines the receiving MTA, which may be different from the outgoing MTA, in which case the mx based test will fail. Mx authentication can be done in the form of mx:domain, mx:domain/cidr or mx/cidr.

4) ptr: Use the PTR RR of the domain name server for authentication. At this point, the SPF uses the PTR RR and the reverse graph to query. If the returned hostname is within the same domain name, the verification is passed. This parameter is written as ptr:domain

5) exist: Verify the existence of the domain name. Can be written in the form of exist:domain.

6) ext: Defines an optional extension to type. If there is no such field, then only a single record is used for the inquiry.

7) mod: This is the last type indication as a correction to the record. Correction Value Description:

redirect Redirects the query, using the SPF record for the given domain name.

Used as redirect=domain.

exp This record must be the last one, allowing a custom failure message to be given.

IN TXT “v=spf1 mx -all exp=getlost.example.com”

getlost IN TXT “You are not authorized to send mail for the domain”

(3)-all Defines the return value at the time of matching. You can have the following options:

1) + Default value. Passed when the test is completed.

2) – indicates that the test failed. This value is usually -all, indicating that no other matches have occurred.

3) ~ indicates a soft failure, usually indicating that the test is not completed.

4) ? Indicates no or no. This value is also usually used when the test is not completed.

So “v=spf1 ip4:67.202.107.106 -all” means that only 67.202.107.106 of this domain can send emails, other IPs are illegal.

This article is from “redhat” Blog