I have been using Sender Policy Framework (SPF) records on my oldelvet.org.uk domain for quite some time. This allows me to list the computers that are allowed to send email for a particular domain. This helps to cut down the amount of that falsely claims to come from that domain. The main benefit that I see due to this is that I get less Backscatter incorrectly addressed bounced emails (also see Backscatterer.org a backscatter clearing house) from badly configured Mail Transfer Agents that cause unwanted email by sending bounce messages to the supposed sender of spam.
In the past week I have been looking to add SPF records for a few domains that send/receive mail via my hosting provider Mythic Beasts. I was concerned about ensuring that the SPF records stay in sync with any future server changes at Mythic Beasts. When asked the Mythic Beasts guys informed me that they hadn’t been asked about this before but they quickly got their thinking hats on and came up with an SPF record at _spf.mythic-beasts.com
richm@royalcounty:~$ host -t spf _spf.mythic-beasts.com
_spf.mythic-beasts.com has SPF record "v=spf1 ip4:93.93.130.6 ip4:93.93.131.52 ip4:93.93.131.30 ip4:93.93.131.127 ip4:93.93.130.44 ip6:2a00:1098:0:86:1000::10/127 -all"
Now all I need to do is to add a an SPF record that references _spf.mythic-beasts.com using an include: clause and it will automatically pick up the changes made by Mythic Beasts without me having to change anything.
richm@royalcounty:~$ host -t spf oldelvet.org.uk
oldelvet.org.uk has SPF record “v=spf1 include:_spf.mythic-beasts.com -all”
It is possible to use multiple include: clauses in one SPF record so if you send mail from more than one hosting provider/ISP you can easily do that.
So far things seem to be working fairly well. I did spot one initial problem where we used include= instead of include: and this meant that the correct record was not included.
I also noticed that on my existing records I was using square braces around ip6 addresses.
ip6:[2a00:1098:0:80:1000:4:1010:1010]
I’m not sure where this came from but it did seem to work but does not look to be part of the standard. I’ve now removed that.
ip6:2a00:1098:0:80:1000:4:1010:1010
For now I have left the revised SPF records with short time-to-live (TTL) times so that I can make changes quickly if I spot any further problems.