An SPF record is a DNS TXT record (like A records and MX records) that indicates to receiving mail servers whether an email has come from a server that is “allowed” to send email from that domain. I.e. it’s a check that should prevent spammers impersonating your domain. It does rely on the receiving server actually doing the check, which not all do, so it’s not by any means fool proof, but it should help prevent mass email from your organisation to customers being flagged as potential spam.
Below is an example SPF record for capitalfmarena.com:
(this is in the public domain – you can look up an organisation’s SPF record by using online SPF checkers)
“v=spf1 ip4:18.104.22.168 mx a:service69.mimecast.com mx a:service70.mimecast.com a:capitalfmarena.com -all”
V=spf1 specifies the type of record this is. (SPF)
Ip4: pass if the IP senders IP address matches the addresses we send mail from.
mx a: pass if sender’s IP matches an ‘MX’ record in the domain
a: pass if Sender’s IP matches an ‘A’ record in the domain
The –all indicates that all other senders fail the spf test. (+all would mean anyone can send mail.)
(~all was used when spf was still being implemented, and is a soft fail, but shouldn’t really be used any longer other than when you’re transitioning between mail hosts or something)
Mechanisms are tested in order and any match will pass the email. A non-match results in a neutral state, until it gets to the end of the string where the –all mechanism will fail it.
What is OpenDNS?
Open DNS is a free DNS lookup service, provided as an alternative to using your ISP’s DNS service. It provides additional features for filtering, web security, statistics, and speed improvements. The business collects revenue from adverts served from search pages, and from the enterprise products they offer, which provide more detailed reporting and more granular features. It’s suitable for use by home users and businesses.
- Web content filtering by category
- Malware url blocking by default
- Phishing website protection
- Statistics of DNS resolution
- Blocking of malware infected devices “phoning home”
- Notification of above devices attempting to phone home
- Typo correction (e.g. yaho.co.uk will resolve to yahoo.co.uk)
- Custom URL whitelists and blacklists
- DNS caching – if authoritative DNS fails, requests will resolve to the last good IP address.
- Multiple networks on one account
- Potential speed improvements
- Zero cost
- An extra layer of web access filtering can block access to websites by category, such as pornography, malware, adware, and others.
- Where your web filtering application or server may fail, Open DNS will pick up the slack, and block inappropriate sites, malware, or phishing attacks. This should result in significantly fewer virus infections.
- Where a machine is infected, it will not be able to contact malware servers to update itself or spread further (assuming the malware uses DNS to lookup the home servers). Statistics will show you when devices do attempt to contact malware servers, highlighting potential problems with infection.
- Staff will be further protected from online scams and phishing attempts, protecting both them and the business.
- Easy-to-read and access statistics will show us which domain names are requested most frequently, and at what times of day. It also highlights where local addresses are being incorrectly forwarded, and may aid fault resolution or identification of previously unknown faults.
- Typo correction improves the safety of online activity for users, and improves the user experience, potentially resulting in fewer helpdesk calls.
- Where an authoritative DNS server fails to resolve a request, Open DNS will use the last known good IP address. This should also protect against malicious DNS attacks, such as that against NetNames earlier this month.
- OpenDNS is usually faster than ISP DNS servers, resulting in an improved user experience.