What is SPF lockdown?

I've been asked this question pretty regularly: How do I tell the world that a certain domain of mine isn't valid for sending email? What about typo domains, bad domains? How can they configure things to tell the world that no legitimate mail should have this domain in a from address?

Easy! You do it with what I call an "SPF Lockdown." SPF (Sender Policy Framework) is a simple way of telling the world what IP addresses are allowed to send mail for your domain. In this example, we're going to tell the world that NO servers are allowed to send mail for a given domain. To do that, create a TXT record in DNS, at the top level of your domain, and put this value in that TXT record: v=spf1 -all

The "v=spf1" is what you preface an SPF record with, when creating it as a TXT record in DNS. The "-all" means "hard fail" any mail that doesn't match the list of "mechanisms." In between, you would usually put a list of IP addresses or other information that says which servers are allowed to send that mail. Since you've included none, any mail using this domain will always fail an SPF check. No servers are allowed to send mail for that domain.

There you go, that's all there is to it. Now, any email server, email software, or anti-spam software that checks SPF records will know that any mail using that domain name in its from address is invalid. Here's an example you can lookup showing an obviously bogus domain name and how its SPF record is configured.
Post a Comment