How SPF works
Spammers generally use resources they do not own to send their malicious campaigns. They will spam using computers they have taken remote control of and linked together in a network called a botnet. And they usually also send from a domain that does not belong to them. In fact, it could be from YOUR domain. Email address spoofing is when a spammer forges the envelope sender address to make it seem as though the email originated from a legitimate source. Publishing an SPF record helps protect your domain from spoofing.
The first victim of a spoofing campaign will be your domain's reputation; if you are receiving spam messages from yourself, you can be sure that others are also receiving spam messages that appear to be coming from you. Not a good thing. The second consequence may be more harmful however. Among the servers (whether Exchange email servers or any other) receiving spam messages claiming to come from your domain, some will be using filtering solutions that will flag these email as spam. These servers will bounce back the email and send DSN messages to your server since the messages appear to be coming from it. If the spamming campaign is massive enough, your server will find itself flooded with DSN messages even though it has not sent any of these emails. Fortunately, there is a solution that can help protect your domain from spoofing: publishing an SPF record.
SPF is an open email validation system designed to prevent email address spoofing. The SPFv1 protocol was given legal status by the IETF (Internet Engineering Task Force) and published under RFC 4408.
SPFv1 enables the owner of a domain name to define which servers are authorized to send email for this particular domain name through the use of DNS records. Both senders and recipients need to be part of the process. The domain name owner does so by publishing his sending policies. The recipients configure their email server to check SPF records on all incoming email. So when an email comes in from a domain protected by an SPF record, if it is not sent by a server specified in the record, the recipient server will reject it. You are protecting your domain by publishing an SPF record because email spoofing your domain will no longer be accepted by recipients who make SPF checks on incoming email. Spoofed email will continue to be accepted by recipients that do not use SPF checks however. But the SPF technology is spreading and the number of servers who are configured to make SPF checks is growing. In addition, studies have shown that spammers tend to avoid spoofing domains protected by SPF records. Here is an example to illustrate how these rules work.
Publishing an SPF record in your DNS zone is free and not terribly complex. You can browse these websites for more information
Additional information on SPF records
However, keep in mind that an incorrect SPF record could do more harm than good. To find out more on this subject, read our blog article: The most common SPF errors.
If you are a ZEROSPAM customer, our technical team will help you publish a complete, syntactically correct and valid SPF record free of charge.