Friday, January 8, 2010

SPF Records For Your Domain

So...I finally understand what the deal is with SPF records. I didn't really understand it before.

So...an SPF records basically is a record for the RECEIVING mail server to determine if the sender of the email was an authenticated sender or not.

With email spoofing these days, just about anyone can send an email and pretend that it's from someone else. This is called email spoofing or forging. In order to prevent recipients from receiving email that is NOT from you, you use an SPF record.

The SPF record basically tells the receiving mail server that there are only certain servers that are authorized to send mail from that particular domain. When the receiving mail server gets the mail that claims it's from you, it checks to see if there is an SPF record for that particular domain. If there is, then it reads the SPF record to determine whether or not the sender is using the listed server in the SPF record to send the email.

For example...I use Google Apps for my domain mail. If I want to send an email to a server hosted by GoDaddy (whose SPF record checker is ridiculously harsh), I have to add this SPF record as a TXT record to my domain:

v=spf1 include:aspmx.googlemail.com ~all

After this record is added and DNS propagation is done, this is the conversation that would be had between GoDaddy and Google Apps when an email from jaress@example.com is sent (assuming that Google Apps handles the mail for example.com):

Google Apps: "Hey GoDaddy...I have an email for someone that you get mail for."
GoDaddy: "Ok, cool. Well...before I deliver it, who is the email from?"
Google Apps: "It's from jaress@example.com"
GoDaddy: "Ok, well let me check to make sure that you (Google Apps) is a verified sender for example.com. I'll check with the domain registrar for an SPF record."
Google Apps: "Ok. I'll just wait here until you come back."
GoDaddy: "Ok, it looks like the server who is authorized to send email for that domain is aspmx.googlemail.com. Can I see the message header so that I can verify that that's the sender, please?"
Google Apps: "Sure, here it is (hands GoDaddy the email).
GoDaddy: "Ok, this looks good. I'll go ahead and deliver it. Thanks!"

This is the conversation that would be had if someone tried to spoof the email.

Google Apps: "Hey GoDaddy...I have an email for someone that you get mail for."
GoDaddy: "Ok, cool. Well...before I deliver it, who is the email from?"
Google Apps: "It's from jaress@example.com"
GoDaddy: "Ok, well let me check to make sure that you (Google Apps) is a verified sender for example.com. I'll check with the domain registrar for an SPF record."
Google Apps: "Ok. I'll just wait here until you come back." (Waits very hesitantly and is very nervous)...
GoDaddy: "Ok, it looks like the server who is authorized to send email for that domain is aspmx.googlemail.com. Can I see the message header so that I can verify that that's the sender, please?"
Google Apps: "Sure, here it is (sheepishly hands GoDaddy the email).
GoDaddy: "Ok. It says here that you're name is ima.spammer.com not aspmx.googlemail.com. So...unfortunately, I cannot deliver this message... in fact, take your message back. (Gives the message back to Google Apps)"

No comments: