Sender Policy Framework (SPF) is an email authentication standard that allows a domain owner to authorize the use of its domain in email messages, with such authorization tied to the physical source of the message. And SPF macros give you more power and flexiblity when creating your SPF records.
This authorization is done by publishing a record in the DNS (Domain Name System). The record must follow a specific format, and most SPF records use various tags, called mechanisms, that explicitly list things such as IP addresses, networks, and hostnames.
Below, we’ll walk you through everything you need to know about SPF macros to take better control over your SPF records.
What are SPF macros?
The SPF standard also defines certain character sequences, referred to as macros, that are meant to be replaced by metadata from the individual message that requires SPF validation. Most SPF records are fairly straightforward, and the mechanisms mentioned above are enough for many domain owners to craft a record that properly authorizes the use of their domain.
However, there are cases where the record is complicated, perhaps due to its sheer size or other factors that just can’t be addressed by those mechanisms. In those situations, these SPF macros provide incredible power and flexibility in crafting SPF records, something that Valimail takes advantage of with our patented Instant SPF® technology.
It is true to say that SPF macros are not widely used, at least relative to mechanisms, and because of this, macros are also not widely understood. The purpose of this post is to remove any fear, uncertainty, or doubt that you, our customer, might have about SPF macros.
An SMTP primer
Simple Mail Transfer Protocol (SMTP) is the standard that describes the language used by two computer hosts that want to exchange an email message over the internet. SMTP declares the sending host in the SMTP transaction as the “client,” and the receiving host as the “server.”
As the name states, the protocol is simple, with only a handful of commands defined. A typical SMTP transaction looks like this:
- Client attempts to connect to server
- Server accepts the connection
- Client issues a greeting (literally “EHLO” or in some cases “HELO”) announcing its name
- Server issues a greeting in response
- Client describes the sender of the message using the command “MAIL FROM”
- Server accepts the sender
- Client describes one or more intended recipients of the message using the command “RCPT TO”
- Server accepts or rejects each recipient
- Client passes the full body of the message using the command “DATA”
- Transaction ends with the message accepted or rejected by server
SPF is designed to validate a domain’s usage early in the SMTP transaction.
How SPF macros work
Let’s look at a typical SPF record for a Valimail customer:
"v=spf1 include:foo.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email -all"
The record makes use of two SPF include directives, which are instructions to go look up the named record and include that lookup’s result in the expansion of this SPF record. The macros are in the second include directive:
include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email
There are three macros here, each represented by the four character sequence of percent sign, left curly brace, macro letter, right curly brace, and obviously the macro letter itself is the most meaningful character in that sequence. For Valimail’s SPF record, the three macros and their meanings are:
%{i} - The IP address of the client for the message
%{h} - The EHLO/HELO domain of the client for the message
%{d} - The sender domain from the “MAIL FROM” command
So, taking what we know about an SMTP transaction, imagine a client sending from IP address “1.2.3.4” issued the following two commands as part of attempting to send the message:
EHLO server1.mail.esp.com
MAIL FROM: <bounces@marketing.foo.com>
The server receiving this message and attempting to validate the SPF record would attempt to look up the following DNS record:
1.2.3.4._ip.mail.esp.com._ehlo.marketing.foo.com._spf.vali.email
If the customer has properly configured their account with Valimail’s Authenticate product, the query would yield a positive response indicating that the domain “marketing.foo.com” is authorized for mail sent from IP address “1.2.3.4”.
Why are SPF macros poorly understood?
There are several sites on the Internet that perform some form of SPF record validation. They typically work by inputting a domain and maybe an IP address, clicking a button, and getting a report on whether the record is valid and perhaps whether or not mail sent using that domain from that IP address will pass.
The reason macros don’t inspire confidence among first-time users is that they can’t really be tested using these sites.
SPF records like ours are designed for complex sending environments, usually for customers who are using one or more third-party services to send mail. As such, our customers may not know the IP address(es) of the hosts sending their mail or their EHLO hostnames, and frankly, they don’t have to know this information.
However, even if our customers did have that information, it would be useless for testing their SPF record at any of the sites in question because they don’t support inputting at least some of that information.
How to test your SPF records with confidence
The only way to really test the validity of SPF records like ours is to configure the SPF record for your domain, send mail, and inspect the headers once it’s received. That’s an uncomfortable step for many potential customers, but we’re confident that you’ll see an SPF pass verdict in those headers, just like in the tens, if not hundreds, of millions of messages that our existing customers send each day.
It’s not just our customers who benefit from SPF macros, though. We know of other large senders who make use of macros as well to support their customers, to the tune of hundreds of millions or more messages with SPF pass verdicts each day.
We can’t name them here, but ask your salesperson to point them out, and they’ll gladly show you the evidence in live DNS records.
The bottom line is that SPF macros have been part of the SPF standard since its publication in 2006. They allow for easy expression of complex SPF records and support billions of messages per day. They are a powerful tool for any sender who needs them, and if configured correctly, they just work.
Don’t let the complexity of SPF macros deter you from achieving optimal email security. Let Valimail guide you through the process, ensuring your email domain is protected, authenticated, and compliant. Take the first step towards seamless, secure email authentication with Valimail.