1. Home
  2. Products
  3. Check Mail SPF

Check Mail SPF

SPF record checker requests for the Sender policy framework records, parses them and displays them in human readable format

Why you should use the Check Mail SPF application?

Our SPF record checker can parse SPF records and display them in a human-readable format. So you can easily understand how the SPF record is configured, which emails, servers, and IP addresses are allowed to send emails on behalf of your domain.

It is much better to use our tool instead of console applications like dig or nslookup. Because those console applications will show you the raw SPF record as well as many irrelevant TXT records.

You should also try our DNS checker app . It can also be used to check SPF records. But it also checks other DNS records like A, CNAME, MX, NS, SRV, TXT, and more. And all these records will be requested in parallel, so the DNS checker is almost as fast as the Check Mail SPF app.

A Tale of Migration

A few years ago, there was a small business, an online store. Let's call the owner Alice (a pseudonym). Alice had several employees, all of whom used corporate email addresses tied to her domain. These email addresses utilized Google Mail Exchange under the hood.

Alice's business continued to grow. She hired more people, but one day she realized she couldn't create new emails for them due to a limitation for free users. Unwilling to move to a paid plan, she decided to change the mail exchanger.

The migration process was challenging. Her IT support team worked tirelessly to transfer all email messages from one server to another, preserving the history. They also created new accounts and trained the staff on how to reconfigure their email clients.

Once the migration was complete, they updated the DNS MX record for their domain, redirecting all emails sent to their domain to the new mail exchanger. However, they overlooked one crucial detail - the SPF record. Perhaps they assumed the SPF record was configured based on the MX record, or maybe they simply forgot about the SPF technology.

The next day was chaotic. Clients stopped receiving emails. The IT team initially thought the issue was related to outdated DNS records and decided to wait for the record caches to update. After waiting for 24 hours, they realized there could be other problems. Alice was stressed about losing time and clients. Eventually, the team started blaming the new mail exchanger. Some even wanted to revert to Google.

Finally, one of the IT supporters discussed the problem with an old friend. This friend sent him their SPF record:

SPF record for store.alice.com domain

This SPF record still included rules from Google, but none from the new MX server. That's why everyone could receive new mails - because of the MX record - but most of the emails they sent were not delivered. The team added the "include" rule for the new MX server, and everything was fixed soon. They also decided to add the "mx" rule, by the way.

Configuring email can be complicated, even if you don't have to maintain your own email server. There are numerous protocols to prevent spamming, spoofing, and other types of scams. SPF is just one of them.

The Importance of Understanding SPF Records

Understanding Sender Policy Framework (SPF) records is crucial for managing your domain's email security. SPF records are used to prevent spammers from sending messages with forged 'From' addresses from your domain. By properly setting up your SPF record, you can specify which mail servers are authorized to send email on behalf of your domain.

Our application simplifies this process by requesting all TXT records for a given domain and filtering them to find the SPF record, which should always start with 'v=spf1'. Once we find this record, we parse it according to the specifications in RFC 4408 and RFC 7208.

Our parsing process detects all rules in the SPF record and provides clear explanations for each one. This means that you can easily understand how your SPF record is configured, and which emails, servers, and IP addresses are authorized to send email on behalf of your domain.

We believe that understanding your SPF record is a crucial part of managing your domain's email security, and we're here to make that process as simple and straightforward as possible.

Why does SPF even exist?

Technically, anyone who sets up an SMTP server can set the 'From' field to any value when sending emails. This is often exploited by spammers and phishers who send emails with forged 'From' addresses.

Therefore, you might receive an email that appears to be from your bank, but in reality, it could be from anyone. Email was invented at the time when internet was making first steps. There were no scammers and no viruses. People were thinking about inventing new ways to communicate and share their knowledge. There was no time to think about security. However, as the internet continued to grow, new use cases emerged. Someday the first virus was invented, someday first spam letter was written. And someday, scammers realized, that they could use the From field of the email message to mislead their recipients.

One might think that the solution is to check the server that sent the message and compare its address with the server domain name. But things already became much more flexible and comlicated. You might think, that if you received an email from Trip.com@newsletter.trip.com, it means that it was sent from SMTP server located at newsletter.trip.com domain. But let's analyze headers of the email:

Email headers for the email from Trip.com@newsletter.trip.com

As you can see, the email was sent from one of the amazonses.com servers. You may wonder why this happens. Well, newsletters sending implementation could be a complicated task. Usually companies prefer to outsorce it to dedicated services. So trip.com prefers to use Amazon web services to implement this task. However, you can no longer verify the sender's authority solely based on the server from which the email was sent. And this is the moment when SPF record comes to help you. Let's take a look at the SPF record of the newsletter.trip.com domain:

SPF record for newsletter.trip.com domain

As you can see, newsletter.trip.com allows the amazonses.com servers to send emails from @newsletter.trip.com addresses. Moreover, if you dive deeper and check the SPF record of the amazonses.com domain, you can find a rule ip4:54.240.0.0/18 . This rule allows all IP addresses from 54.240.0.0 to 54.240.63.255 send emails from newsletter.trip.com. So if you go back to the headers analyzer, you can see that the email was sent from the IP 54.240.3.17, which is definitely inside this range

Now that you understand how SPF works, let's look at the sequence your email server follows when it receives an email:

STEP 1

Get the address of the sender's server

Recipient's server gets the address of the sender's server from the email headers.

STEP 2

Read the From field

Server reads the From field of the email and gets the domain name

STEP 3

Get the SPF record of the domain

Server does the DNS TXT query to get the SPF record of the domain and parses it.

STEP 4

Match sender server's address to the SPF record

Server checks all the SPF rules one by one to find out if sender is allowed to send email from the given address.

You might now be wondering why we trust the email headers in the first step. If sender can set the From header to any value, why they do not do the same thing to the other headers? That's why only SPF is not enough to secure your inbox. SPF should always be combined with DKIM protocol. Moreover, there is the DMARC protocol, which already requires both SPF and DKIM to determine the authenticity of an email message. DNS checker app can query both SPF and DMARC records and provides human readable explanations for rules from them.

Our Future Plans

We are constantly working to improve the Check Mail SPF application to provide you with the most comprehensive and user-friendly SPF record checking tool. One of our upcoming features is the addition of recursive queries. This means that if the SPF record contains any 'redirect' or 'include' mechanisms, our application will automatically perform the corresponding queries and include those rules in the output.

However, we understand the importance of keeping this information easy to read and understand. Therefore, we will ensure that users can clearly see where these additional rules came from and how they are interpreted. This will provide a more complete picture of your SPF record configuration, while still maintaining the simplicity and clarity that our users value.

While we continue to improve and expand the Check Mail SPF application, we also value the input of our users. We believe that your feedback is crucial in helping us understand what new features you would like to see in the application.

After using our application, we encourage you to leave your feedback by pressing the corresponding button below the application output. Whether it's a new feature request, a suggestion for improvement, or a bug report, we want to hear from you. Your feedback helps us make the Check Mail SPF application better for everyone.