Policies - Sender Policy Framework

This article contains information on implementing or updating SPF records, addressing the 10 DNS lookup limit, and how to include Mimecast SPF references to ensure email authentication and prevent delivery issues.

Sender Policy Framework (SPF) is a mechanism to authenticate sender addresses. The MTA will check that the sending source IP matches those in the SPF record for that domain using DNS checks. Organizations can use SPF to declare which mail servers are able to send email using the organization's domain. Emails sent from mail servers/IP addresses listed in a domain's SPF will pass SPF validation.

Implementing or updating an SPF record can be challenging due to the technical limitations that apply to them. One of the most common issues is the 10 DNS record lookup limit. A DNS lookup is started when an SPF mechanism is used with reference to a domain. The most common mechanisms triggering these DNS lookups are MX and include; exist and ptr are less common.

If a customer does not have an existing SPF record, the implementation will be straightforward; the suggested records can be used as-is.

Example:

example.com.  IN        TXT       “v=spf1 include:eu._netblocks.mimecast.com ~all”

or

example.com.  IN        TXT       “v=spf1 include:_netblocks.mimecast.com ~all” 

Depending on the region, Mimecast offers specific DNS records that can be added to the domain’s SPF record or implemented as the domain's SPF record if it is a new domain.

If a customer has an existing SPF record, it requires an SPF record update to add the Mimecast SPF reference to their record.

example.com    IN        TXT       “v=spf1 include:eu._netblocks.mimecast.com include:sendgrid.net ~all” 

An SPF record exceeding the 10 DNS lookup limit becomes invalid and can affect message delivery. Being able to inform customers about the potential risks they have or will have upfront will improve the customer experience.