Sender Policy Framework

The Sender Policy Framework (SPF) is an email authentication technique which is used to prevent spammers from sending messages on behalf of domains they do not own. This is done by creating a type of verification record in DNS by an administrator that controls the domain. This record lists entities that are authorized to send email on behalf of the domain.

RFC 7208 standards track is the governing document for the Sender Policy Framework: RFC 7208

 

Rejection

If you are here because your email was rejected by a Mailborder server, then your organization’s administrators must take action to correct your domain’s  SPF record. This is a DNS record for your domain owned and controlled by your organization. In essence, this record is an instruction set used by remote email servers outside of your domain that determines if those remote email servers should accept or reject email where your domain is in the “from” parameter based on the originating source of the email.

*Note: our company provides the Mailborder email gateway software. The Mailborder company is not the entity rejecting your email. 

The best resource to test your domain’s SPF record: MX ToolBox

Here are some common reasons for SPF rejections:

  • The server trying to send email on behalf of your domain is not authorized to do so. This sometimes happens with email marketing platforms such as MailChimp. It is also common for it to happen with business systems that send email directly to your customers that are not natively email servers. (For example, billing systems.) These sources must also be included in your SPF record.
  • Your SPF record is broken. This results in a “permerror”. A common issue is having more than one SPF record. Another common issue is having too many include statements that have too many DNS lookups. (The limit is 10.) The MX ToolBox tool above will help identify either (and more) of these types of problems.
  • You don’t have an SPF record at all.

But!

“But I can send email to other places just fine!”

We know. Not everyone follows RFC standards. However, it would be a pretty bad look for an email security company not to follow email standards, so we decided it would be a good idea to do that.

At some point everyone will start enforcing this. It usually happens after a large organization loses several million dollars by not enforcing standards that create security holes. Give it time. It will happen.

Mailborder Owners

If you are the owner of a Mailborder server, there is nothing wrong with your server. It is doing what the remote domain owner has instructed it to do or the remote domain has a serious SPF configuration error. Rest assured, the user trying to send email to you knows the email was rejected and why. The user has probably already contacted their own administrator to correct the problem.

If you wish to temporarily whitelist a remote domain or IP address until the business partner has a chance to correct their records, you may do so. However, we do not recommend that this be a permanent solution. It makes no sense to degrade the security of your enclave permanently because someone else won’t fix their own problem. If you get into the habit of doing that, it will come back to bite you at some point.