Sender authentication part 12: Some examples of SPF

Now that we've plowed our way through SPF, including the syntax (I can't believe I took the time to do it, but if I ever go into a university and have to teach it I guess I should know it), let's take a look at some real life examples of domains that publish SPF records and try to interpret them.

Example 1 - Frontbridge

Let's start with Frontbridge, the antispam company that Microsoft bought in July 2005. Their SPF record is the following:

"v=spf1 ip4:64.56.194.142 ip4:64.56.194.146 include:spf.frontbridge.com -all"

The version of SPF is 1.0, and the IPs that are permitted to send mail are 64.56.194.142, 64.56.194.146 and then we have the SPF record spf.frontbridge.com.  The SPF record for spf.frontbridge.com is the following:

"v=spf1 include:spfa.frontbridge.com include:spfb.frontbridge.com -all"

Not content to make this example easy, we have another include directive.  Looking up the SPF records for spfa.frontbridge.com, we get the following:

"v=spf1 ip4:12.129.199.32/27 ip4:206.16.192.224/27 ip4:216.148.222.32/27 ip4:63.161.60.0/25 ip4:207.46.163.0/24 ip4:12.129.219.64/26 ip4:62.209.45.160/27 ip4:213.199.154.0/25 ip4:217.117.146.224/27 ip4:12.129.219.152/29 ip4:65.55.251.0/26 -all"

For spfb.frontbridge.com:

"v=spf1 ip4:131.107.0.0/16 ip4:12.129.219.128/27 ip4:12.129.20.19 ip4:207.46.51.64/26 ip4:213.199.154.0/25 -all"

So, the only IPs permitted to send mail as frontbridge.com are the ones above.  If an IP is not in any of the above IPs, return a Hard Fail.

 

Example 2 - The Motley Fool

My next example is The Motley Fool, a financial website.  I've subscribed to The Motley Fool for a number of years and some of the articles are alright.  Their SPF record is below:

"v=spf1 a mx ip4:74.8.50.0/24 ip4:64.94.26.0/24 ip4:64.94.27.0/24 ip4:69.25.30.0/24 ip4:212.36.33.0/24 ~all"

This is simpler.  To interpret it, the version of SPF is 1.0.  The IPs allowed to send mail are the A-record, the MX-record, and all of the rest of the IPs that are mentioned.  The A-record of The Motley Fool is 64.94.26.1, the mx-records of fool.com are 74.8.50.182 and 74.8.50.183.  If the IP is in any of those ranges, return a Pass.  If not, return a Soft Fail.

 

Example 3 - Yahoo

The following is Yahoo's SPF record:

"  "

That's not a typo, Yahoo does not publish SPF records so there's nothing to authenticate.  Yahoo uses DomainKeys, which is another method of email authentication.  I guess they think that because it's such a good method they are not going to bother publishing SPF records (they need to support the home team and no one else).

That's one way of looking at.  Of course, the drawbacks to this would be that spam filtering services that don't use DomainKeys to authenticate but do use SPF will treat any email from Yahoo as suspicious, since spammers (historically) have spoofed Yahoo.

 

Example 4 - Gmail

Our next example is Gmail.  The SPF record for Gmail is the following:

"v=spf1 redirect=_spf.google.com"

I didn't look into this modifier in my explanation of the syntax of SPF, but it means that the SPF record for _spf.google.com replaces the record for gmail.com.  For _spf.google.com:

"v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ?all"

Again, this one is relatively easy to interpret.  If the transmitting IP is claiming to be coming from Gmail, the IP must be within any of the ranges mentioned above.  But what is interesting is if it doesn't, the result is SPF Neutral.  What's up with that?  Why wouldn't Google explicitly state which IPs they authorize to transmit mail?  While I don't know for sure, I think it is because Google also uses DomainKeys, which is another form of email authentication.  Still, it's a little annoying that they would be so ambiguous as to be Neutral, rather than a Soft Fail.  I could see it if they didn't explicitly control google.com, but they do.  So why the need for ambiguity?

It's only speculation on my part.  There's probably something simple I am overlooking.

 

Example 5 - Hotmail

Finally, let's have a look at Hotmail. 

"v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com include:spf-d.hotmail.com ~all"

The version of SPF is 1.0.  It has the include directive for spf-[abcd].hotmail.com, which means that all of those domains are searched for a match.  If no match is found among them, return a Soft Fail.

Let's look up the SPF record for spf-a.hotmail.com:

"v=spf1 ip4:209.240.192.0/19 ip4:65.52.0.0/14 ip4:131.107.0.0/16 ip4:157.54.0.0/15 ip4:157.56.0.0/14 ip4:157.60.0.0/16 ip4:167.220.0.0/16 ip4:204.79.135.0/24 ip4:204.79.188.0/24 ip4:204.79.252.0/24 ip4:207.46.0.0/16 ip4:199.2.137.0/24 ~all"

Obviously, I picked a winner here by selecting an example with a huge number of IPs.  Let's interpret this; the version of SPF is 1.0, the IPs permitted to send mail for spf-a.hotmail.com are 204.240.192.0/24 - 204.240.224.0/24 (if I did my math right), expanding all the way to the end of range.  If the sending IP is not in this range, return a Soft Fail.  However, we don't return a Soft Fail because of spf-[abcd].hotmail.com, we return it because the SPF record for hotmail.com says to return the Soft Fail.