1

I have very little knowledge about spf records. I have Googled a little and found that spf records are used to prevent email spoofing. But I dont really understood how this works. I would like to know about the following things in brief.

  1. How to set an spf record for my website. (Any links pointing to securely set an spf record may be useful)

  2. Is there a significant difference between using - instead of ~. For example:

what is the difference between 

TXT @ "v=spf1 a include:_spf.google.com ~all"

and

TXT @ "v=spf1 a include:_spf.google.com -all"
  1. Can spf records actually prevent attackers from spoofing my mail server.

Thanks in advance :)

Anonymous Platypus
  • 1,462
  • 3
  • 19
  • 38

1 Answers1

1

How spf records prevents the server from attackers?

They don't. They allow the recipient of the mail to detect spoofed mails but they don't prevent attacks against the server.

  1. How to set an spf record for my website. (Any links pointing to securely set an spf record may be useful)

Add a TXT or SPF DNS record for your domain. How this is done depends on the way you can configure DNS for your domain. There are several resources online which help you to create a proper SPF record, just google for spf wizard.

  1. Is there a significant difference between using - instead of ~.

Yes there is. And it is documented also in the extensive Wikipedia entry. In short: - causes a hard fail where the recipient should not accept the mail, while ~ is only soft fail where the recipient should accept the mail but might increase the spam level.

  1. Can spf records actually prevent attackers from spoofing my mail server.

They can help a lot especially if strict settings are used (i.e. fail not soft fail). But they must be checked by the receiving mail server, because the recipient itself can not reliably know the senders IP address which is necessary to check the SPF record. With DKIM instead the senders MTA signs the mail (or parts of it) and this signature can be verified by the recipient.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
  • They don't. They allow the recipient of the mail to detect spoofed mails but they don't prevent attacks against the server. Isn't it possible for an attacker to craft spoofed mails to the users of a particular website and do malicious activities? Am not sure.. just asking – Anonymous Platypus Jun 14 '15 at 17:57
  • 2
    @AnonymousPlatypus: Of course the attacker can to malicious things while spoofing the email of the site. But these are not what one would consider attacks against the server but only against the company owning the domain by sending phishing mails, mails with false information, spam etc. Attacks against the server are something like (D)DOS, SQL injection etc and these are not caused by spoofing the sender of a mail. – Steffen Ullrich Jun 14 '15 at 18:03
  • Ha ha. I was trying to convey that, but simply put server instead of the company owning the domain> My bad. Thanks for the answer. I shall spread my research further :) – Anonymous Platypus Jun 14 '15 at 18:12