SPF
Sender Policy Framework (SPF) is a method of email authorization used to specify which servers are permitted to send on behalf of a domain. SPF helps prevent spoofing, where an email is made to appear as if it came from an organization when, in reality, it did not.
SPF operates on the email envelope, not the body or message header.
SPF is implemented via DNS records which specify authorized address ranges. The RFC limits the record to a maximum of 10 DNS queries, and a total of 255 bytes per query. These constraints limit the number of addresses an organization can authorize.
Publishing an invalid SPF record, including a record containing too many addresses, may result in all email from the sending domain failing delivery. It is imperative that the record's integrity is maintained.
SPF Requirements
All domains which send mail are required to have an SPF record in DNS. The SPF record should be configured to inherit the policy of the tamu.edu
domain.
To inherit the tamu.edu
SPF policy, publish this SPF record:
v=spf1 redirect:tamu.edu
A subdomain which does not publish an SPF record will have the above record created.
For a subdomain with an existing an SPF record, Technology Services will work with domain custodians to validate the existing record. Invalid or improper records will be updated as necessary.
For legacy documentation on SPF at Texas A&M see KB0021277.
Messages relayed to external systems via the gateway.tamu.edu delivery setting will not pass SPF.
These messages will not deliver to Gmail and Yahoo recipients starting in February 2024.
Check an SPF Record
The easiest way to check an SPF record is to use the command line:
- Open a terminal or command line on your computer.
- Type
dig txt subdomain.tamu.edu
ornslookup -q=txt subdomain.tamu.edu
. Replace subdomain with yourtamu.edu
subdomain name that you want to check. - Click "Enter" to execute the command.
- You will see a list of TXT records associated with the domain.
- Look for the TXT record that starts with
v=spf1
. This is the SPF record for the domain.
nslookup -q=txt itsec.tamu.edu
Server: 128.194.254.1
Address: 128.194.254.1#53
itsec.tamu.edu text = "v=spf1 redirect=tamu.edu"