Authentication
Sender Policy Framework (SPF)
It takes the form of a DNS TXT record on whatever domain you are sending email from. It looks something like this:
"v=spf1 include:_spf.protonmail.ch -all"
At its core, SPF is just a list of IP addresses that are authorized to send email from your domain. This can be of a few different forms:
- Most commonly,
include:which does a recursive lookup to include all the IPs from a different hostname. - Also common is
ip4:andip6:for referencing IP addresses directly. - There are a few others (
a,mx,ptr,exists), but they are not generally used in normal circumstances so I’m ignoring them for now. - Finally we have the special
allmechanism, which is a wildcard catch-all that matches, well, all IP addresses. This is primarily used to blocklist everything by default, which we’ll explain more below.
For our example above, spf.protonmail.ch has a couple dozen A records on it which are included for this SPF policy via the include: mechanism.
Other than the IPs and included hostnames, we have a qualifier, which is one of a few symbols that prefix a mechanism.
Each symbol recommends a different policy to a mail server that tells it what to do if it receives a message from your domain from that IP. By default, with no symbol, it is considered equivalent to +, which is a “pass.”
In our example, we have two mechanisms:
include:spf.protonmail.ch, which includes all the IPs for Fastmail, and has no qualifier, making it an implicit “pass all messages from these IPs.”-all, which is a fallback with the “reject” qualifier, instructing the receiver to “fail all messages from any other IP.”
And that is all there is to it. SPF is a very simple tool, but provides the very base level of email verification (“what IPs are allowed to send my email”) necessary to do basic spam filtering. Even just setting up SPF alone should help significantly with your delivery success.