Why am I here?

Possibly because you tried to send mail to us, and your mail was rejected. Maybe someone suggested that we might be able to help you with mail problems (they were right :)).

There are many ways in which mail systems can be broken or misconfigured. Some of them can result in rejected mail, and some of them can have an impact on your security - or that of your correspondents.

This site is concerned primarily with the security issues, one of the biggest of those being email forgery. If you've never seen an email which claims to be from your bank, or a freight company, but which in reality is from some scammer in West Africa, maybe you should check that the little lights on your computer are glowing or that your mobile is charged.

There are tools to test some parts of mail systems, plus information about email security, how to find out more, and how to get problems fixed.

Why was my mail rejected?

Well you might just be a spammer. In that case, please go away. We won't help you.

Or you might be using a service which is also being used by many other users, and some of the other users may be spammers. In that case we may well be able to help.

Perhaps your recipient's email provider checks SPF records, and your own email provider has created one, but the SPF record which they have created is broken. (In the first ten or fifteen years of SPF this used to happen often, but it happens less often now. It is a security issue, because it means that the automatic detection of mail which is forged to look like it came from you may be less reliable.

But other people accept my mail?!

We hear this all the time when we try to explain that there's a problem with an SPF record. It usually goes along the lines of "You don't accept my mail, but other people do, so the problem must be at your end."

SPF doesn't work like that.

For example, if

1. you have an outdated SPF record for your mail domain, and if

2. when your sent mail is tested against it, the mail does not pass, and if

3. the mail system acting for the recipient does not bother to check the domain's SPF record

then it should really come as no surprise if the mail is not rejected.

We will always make SPF tests on mail.

If the mail does not pass our SPF tests, we reject it.

A lot of outdated mail systems still don't check at all, and some that do check don't do anything about it when they find a 'fail'.

But if your record will not pass your mail and the mail is checked against it, then a failure is the expected result.

SPF is about rejecting mail if it looks like it's from you but it does not come from a server authorized by your SPF record. In other words, that's how we can tell that it's forged.

SPF is not about accepting your mail.

SPF is about rejecting mail pretending to be from you.

If you only take one thing away from you after visiting this entire site, take that.

What's SPF?

SPF is the Sender Policy Framework.

The purpose of SPF is to prevent forgeries of mail from a domain which sends mail. It can also declare that a domain never sends any mail. Those are the main uses for SPF.

It's up to the administrators of a domain name to configure SPF for the domain. After that's done, the information is public and anyone can use it.

Terminology:
The Domain Name System is all about names. You're already very familiar with some of these names - they're the things that have dots in them. As we become increasingly familiar with the technical terms used in the DNS, after a while we tend to get lazy when we use them. For example we might just say "a host" instead of "a host name"; and we talk about "SPF records" when we really mean "DNS TXT records formatted for use in the SPF". As far as we're concerned here, the terms "domain" and "domain name" mean exactly the same thing.

The part of an email address after the '@' sign is a mail domain name. There are other kinds of domain. One example is the host name which a mail server uses to identify itself when it connects to another server to send a mail message. Not only do criminals forge mail names, they forge host names too. SPF can also protect host names.

SPF protects names from forgery by linking the mail domain to the IP addresses of just those mail systems which are permitted by the domain administrators to send mail on behalf of the domain. Unfortunately it is trivially easy to forge email addresses. It's very much harder to forge IP addresses, which makes it that much harder for criminals to forge mail from domains which are protected by SPF.

The mail handling systems which act for recipients can implement the sender domain's policy for the sender's mail at the point where they see the incoming mail on the wire (or on the fibre, microwave, or whatever).

SPF is one of the most widely misunderstood features of electronic mail systems. People often want to know how to get their mail to pass SPF checks so that their mail will be accepted. That's not what SPF is about. SPF 'fail' can be expected to cause mail to be rejected, but SPF 'pass' does not mean that it should be accepted. There can be many reasons why any particular mail might be rejected. SPF 'fail' is just one of them. SPF 'pass' simply removes one of the many possible reasons for rejection, but it does not mean that there can be no other reason to reject the mail.

SPF is not about anybody's reputation, and despite what anybody else might have told you, it is not about spam. Yes, a lot of spam is forged, but if mail fails SPF tests that doesn't necessarily mean it's spam. Quite possibly it means that an SPF record is broken. About 30% of the SPF records in the DNS were broken in some way when we last checked a small sample of them. (To make it a fairly good small sample, we checked ten million of them. It took about four months.)

If there's an SPF record for a name, it covers that name only. There's a record for the name 'fixmymail.uk', and a separate one for the (host) name 'mail.fixmail.uk'. If there were no record for the host name, the record for the 'parent' name ('fixmymail.uk') cannot be used.

There must be only one SPF record for one domain. So if your email address ends in '@gmail.com' (or 'yahoo.com') then the SPF record for your address is the same as the record for all the other '@gmail.com' (or '@yahoo.com') addresses.

How do I get you to accept my mail?

That depends on why it was rejected.

If you don't know, then for us to be able to help you need to give us the information which we need. Even if your mail to us was rejected, we've probably seen it. If it looks like you're in genuine need and you aren't a spammer we'll get in touch with you.

If you're here because you want to find out how to get people to accept your mail when they really don't want it, then you're in the wrong place. There's nothing for you here.That's not what we're about, and we can't help you.

If mail was rejected because your SPF record is broken, we can definitely help you. Usually we will be able to help very quickly.

Where is this SPF record thing?

The policy is embodied in one (only one) line of text[*] in the DNS (Domain Name System).

The DNS?

The DNS is a globally-distributed, public, fault-tolerant, hierarchical database a bit like a gigantic telephone and address book. It holds a lot more than just addresses and numbers, and SPF records are just one small part of it. The DNS is as much about being always available everywhere, and fast, as it is about storing data. Most of the things it stores are very small pieces of data like the name-to-number that you have in a telephone directory. It's of no use for storing large chunks of data. The intention is that all the data stored in it is available to everyone (that includes all the criminals).

Manipulating DNS data directly can be tricky, and mistakes can have unpleasant consequences. Many Internet Service Providers will provide access for you via some kind of Web interface. If you are given such access, the Web interface will limit the parts of the DNS to which you have access, and hopefully also the amount of accidental damage that you can do if you make inadvisable changes.


[*] Strictly speaking, because of certain technical limitations in the DNS, an SPF record can be stored as more than one text string. But these are simply joined together to make a single line of text to form a single logical record when they are actually used. Don't worry about it unless you're creating one yourself. Run it by our checking tool before you publish it.

Can I see it?

Yes, very easily. There are no secrets, it's all published - in fact that's the whole point.

Here's our own SPF record for fixmymail.uk:

"v=spf1 ip6:2001:470:6976:44::25 ip4:83.67.166.33 exp=exp.fixmymail.uk ra=postmaster -all"

If it looks a bit confusing to you at first we can show you that it really isn't - see the breakdown on the right.


Didn't I see that there are *both* SPF (type 99) records *and* SPF TXT records?

Unfortunately yes, there are.

The framework wasn't developed overnight.

Our planet has an enormous inertia. It took the Pope 400 years to apologize to Galileo, for example, and although things tend to happen quicker than that on the Internet it still took decades to get to where we are now with email forgery detection.

There was some experimentation along the way. Some of the experiments were only qualified successes, and some failed completely. The first SPF specification used TXT records (type 16). TXT records are used for several purposes in the DNS. The success of the first SPF experiments led to the creation of a new record type to be used only for SPF. Unfortunately the specification for the new type was botched, and development galloped so far ahead of adoption that the new type became an embarrassment. Eventually, depending on how you look at it, inertia overcame optimism or common sense prevailed.

When we talk about SPF records nowadays, we invariably mean DNS TXT records.

SPF (type 99) records are now obsolete, and they can cause problems if outdated software ill-advisedly tries to use them. Ideally they would all be deleted, but many organizations have not kept up to date. If your mail provider is one of them, you might want to let them know that they need to keep up - or you could consider changing to a more switched-on provider.

Microsoft's Sender-ID was another failure. It can also cause problems.[**]


[**] The Sender-ID specification called for software to use SPF TXT records in ways which were not intended by the original specification. Unfortunately this abuse produced aberrant results, and even now, many years later, there is still a lot of outdated software which abuses SPF records. The best way to defend against this is to have an additional TXT record which is literally "spf2.0/pra ?all" for any domain which sends mail -- that is, for any domain which will appear as the domain part of an email address after the '@' symbol, and which also has a "v=spf1 ..." TXT record. Then the outdated software will use the "spf2.0..." record, and will not abuse the SPF TXT record.

Sometimes you'll see a record "v=spf2.0..." which is both incorrect and useless. If your domain has such a record, please try to get your administrators to delete it.

The anatomy of an SPF record.

We're simplifying a bit here, but not in any way that really matters.

Below is a breakdown of the SPF record for one of our domain names, 'fixmymail.uk'. We have other domain names of course, and some of them have SPF records too, but don't worry about that now.

Here's that record again, broken into its individual 'terms', together with the meaning of each term:

"v=spf1"

This is our one and only SPF record for the name. Like everyone else, we're only allowed one SPF record for one domain name.

"ip6:2001:470:6976:44::25"

This IPv6 address is authorized by us to send mail on behalf of our domain.

"ip4:83.67.166.33"

This IPv4 address is authorized by us to send mail on behalf of our domain.

"exp=exp.fixmymail.uk"

There's an explanation available at this domain. Yes, it's a separate domain, and yes, the only thing you'll find there is an explanation.

"ra=postmaster"

The Responsible Authority can be reached at this email address. To get the complete address you need to tack the domain name 'fixmymail.uk' onto the name given here (with the usual '@' symbol of course).

"-all"

We permit no other IPs to send mail on our behalf. If they do, you may assume that the mail is forged[***]. Please feel free to discard it without looking at it if you wish.


The full specifications for SPF can be found in the current Internet standard, which is RFC7208. Now that is confusing, even sometimes to us. But don't worry, because we're here to make sense of it.


[***]Some mailing lists forge mail. There's no reason for them to do it, but for reasons such as inertia, obstinacy, religion and hubris not everyone wants to play ball.

This site is best viewed on a screen.