Sender Policy Framework (SPF): How it works and when you shouldn't use it

How SPF works

SPF (Sender Policy Framework) is a simple method for identifying forged senders and blocking them as SPAM.

The way it works is simple: The domain owner (e.g. me with the domain frankysweb.de) publishes a TXT record (SPF record) in the DNS that contains the mail servers from which I send mails. For example, if my mail server has the IP 81.169.145.159 and is the only mail server that sends mails under the domain frankysweb.de, then I can set the following TXT record as an SPF entry in my DNS zone:

v=spf1 ip4:81.169.145.159 -all

As the domain owner, I indicate that only the IP 81.169.145.159 may send mails under the domain frankysweb.de.

The recipient of a mail can now query this public entry and thus check whether the mail server that is currently trying to send a mail from frankysweb.de is really authorized to do so. All he has to do is compare the IP address of the sending mail server with the SPF entry. So far, so simple.

However, SPF is not entirely unjustifiably criticized, and there are various reasons for this. I would like to go into one of these reasons in more detail because I have come across it a lot recently:

Redirections (relays, smart hosts)

A receiving mail server uses SPF to check the IP address of the sending mail server against the SPF entry in the DNS. This depends on how the mail server and, above all, from whom the mail server actually receives the mails and who checks the SPF entry. I have made a small drawing of this:

So let's assume that frank@frankysweb.de wants to send an email to hans.dampf@gehtjagarnicht.de. The admin of gehtagarnicht.de, for example, has a local Exchange server and, because he doesn't want any SPAM mails, has also installed a SPAM filter in front of the Exchange server (or installed some software on the Exchange server). The admin of gehtjagarnicht.de may also have thought of the following (just as an example):

Hey, I don't have a fixed IP on my DSL connection, so I just let a relay (smtp.rzone.de) forward the mails to my DynDNS account. So my MX record is smtp.rzone.de and it simply forwards everything to my DynDNS

Correct, you can do this, but: Not with SPF, because in this case the SPAM filter on the local mail server only ever sees the IP address of the relay/smarthost. In this example asp is the IP of smtp.r-zone.de. If the local mail server now attempts an SPF check, the inbound IP does not match the IP in the SPF record and the check fails.

So you can either carry out SPF checks on the relay and switch them off on the local server, or you can completely dispense with SPF. Whitelisting the relay IPs on the local spam filter is also not a solution, as the relay delivers all mails, all mails bypass the SPF check.

The same game often occurs with redirected domains, for example: gehtjagarnicht.de also uses gehtjagarnicht.com and forwards all mails from .com to .de. If a mail is now sent to hans.dampf@gahtjagarnicht.com and the provider redirects or forwards it to hans.dampf@gehtjagarnicht.de, the provider's IP is again the delivering IP, but not the original mail server. Ergo SPF check fails.