The Sender Policy Framework (SPF) is an important part of preventing email forgery on the Internet, preventing spammers from forging mail which pretends to be from you.
SPF records
It is common in modern mail systems for the email for an organisation to be delivered by some specialist third party, rather than the organisation itself. The SPF (Sender Policy Framework) record is a way of declaring to the world who you trust to be sending mail on your behalf.
Getting this right is important, as it is rather similar to a Power of Attorney, you are telling the world that they should trust the systems listed as if they were you when they receive an email. It is essentially an anti-forgery system.
If your SPF record is incorrect you are likely to encounter mail delivery problems. The impact will vary depending on the recipient, but the best way to fix them is to make sure your SPF record is correct using an online SPF checker.
SPF checkers
Several companies provide a web page which allow you to enter your domain name and they will tell you if there are problems with your SPF record – and offer to sell you as solution if a problem is detected. They all tend to tell you roughly the same if your SPF record is correct, but differ in how informative the message is if your SPF is invalid.
- https://mxtoolbox.com/spf.aspx
- https://dmarcly.com/tools/spf-record-checker
- https://www.proofpoint.com/us/cybersecurity-tools/dmarc-spf-creation-wizard#spf-check
- https://easydmarc.com/tools/spf-lookup
A search for ‘spf checker’ will turn up more. You can check any domain with them, not just your own, so you can see if a mail problem from some domain is SPF related.
SPF problem – too many DNS lookups
As the DNS is so important to the whole internet, RFC 7208 (one of the ‘rules of the road’ of the Internet) states that an SPF record MUST not require than 10 DNS lookups. Without this there would be a way for a bad person to attack people on the internet in a way which is difficult to trace – an example of this is explained at SPF Too Many DNS Lookups, in the section ‘Why is There an SPF Lookup Limit?’. That link also contains some general suggestions as to how to tidy the SPF record.
SPF and Surveymonkey
SurveyMonkey, a popular survey management company, can sometimes have its SPF record incorrectly added to that of customers, but they themselves state, in their help page, that ‘You do not need to add SPF or DKIM records to your domain when using SurveyMonkey.‘
SPF and bulk mail sending companies
You might have a contract with a bulk mail sending company, for example to send out a newsletter. Depending on the company you may be asked to add their SPF list to yours, and their SPF list may be quite large. Not all mailers require this, so it is worth checking.
Another possibility to consider is setting up a subdomain, such as newsletter.example.com, or a more generic emails.example.com, and asking the bulk mailing company to use that. That subdomain will then have its own SPF list, which will not normally need to include your own email provider.
SPF and changing email providers
It is quite natural, if you change email providers, to add the new one to your SPF list, but sometimes the step of removing the previous one to your SPF list can be forgotten.
But mail still goes to Gmail !
Just as the laws which most people follow do not apply to everyone, for example if they have diplomatic immunity, Google can choose which rules they follow. As in the case of Harry Dunn, just because they can does not make it correct.
If a wicked person was to divert a major road’s worth of traffic down your residential street it would cause chaos, but Google effectively owns multiple motorways, so they are immune to the problems which affect others.