To verify the SPF Auth Result, you would typically follow these steps:
- Check the Source IP Address: The first step in SPF verification is to check the source IP address of the email. This is the IP address from which the email was sent.
- The source IP address is the address of the computer or device that sent the email. To get the source IP address from an email header, you need to look at the information that is added by each mail server that handles the email along the way. This information is called the Received header and it usually contains the IP address and the hostname of the mail server.
- However, the Received header can be spoofed or faked by the sender, so you cannot trust the last or the bottom one in the email header. Instead, you need to start from the top or the first one and trace the path of the email until you find the IP address that matches the domain name of the sender. This is the most likely source IP address of the email.
- To find the email header, you need to open the email in your mail account and look for the option to view the original or the full message. The email header is the part of the email that contains information such as the From, To, Subject, Date, and other technical details. The format and location of the email header may vary depending on your mail account and your email program.
- Query the DNS for the SPF Record: The next step is to query the DNS (Domain Name System) for the SPF record of the domain specified in the RFC5321.MailFrom domain. The SPF record is a type of DNS record that specifies which IP addresses are authorized to send email on behalf of the domain.
- How to get RFC5321.MailFrom from Email Header? – The RFC5321.MailFrom is the address that is used in the SMTP protocol to identify the sender of the email. It is also called the envelope sender or the return path. To get the RFC5321.MailFrom from an email header, you need to look for the Return-Path header, which is usually the first or the last one in the email header. The Return-Path header contains the RFC5321.MailFrom address in angle brackets, such as [email protected].
- How to get IP address from SPF records? – To get the IP address from SPF records, you need to look at the SPF TXT record for the domain name in the DNS. The SPF TXT record may contain one or more of the following elements:
- ip4: followed by an IPv4 address or a range of addresses in CIDR notation, such as ip4:192.0.2.6 or ip4:192.0.2.0/24.
- ip6: followed by an IPv6 address or a range of addresses in CIDR notation, such as ip6:2001:db8:1234:abcd::6 or ip6:2001:db8:1234:abcd::/64.
- include: followed by another domain name that has its own SPF TXT record, such as include:spf.protection.outlook.com. You need to look up the SPF TXT record for the included domain name to get the IP addresses from it.
- a: followed by a domain name or a subdomain name that has an A or AAAA record in the DNS, such as a:example.com or a:mail.example.com. You need to look up the A or AAAA record for the domain name or the subdomain name to get the IP address from it.
- Compare the Source IP Address with the SPF Record: Once you have the SPF record, you compare the source IP address of the email with the IP addresses listed in the SPF record. If the source IP address is listed in the SPF record, then the email passes the SPF check. If it’s not listed, then the email fails the SPF check.
- Check the Hostname and Sender: The hostname and sender are typically used for additional verification.
- Check if the Hostname matches the domain or subdomain specified in the SPF TXT record. If not, the SPF authentication fails. The hostname is the name of the computer or device that sent or received the email.
- To get the hostname from the email header, you need to look at the information that is added by each mail server that handles the email along the way. This information is called the Received header and it usually contains the hostname and the IP address of the mail server
- However, the Received header can be spoofed or faked by the sender, so you cannot trust the last or the bottom one in the email header. Instead, you need to start from the top or the first one and trace the path of the email until you find the hostname that matches the domain name of the sender. This is the most likely hostname of the email.
- Check if the Sender matches the RFC5321.MailFrom domain or subdomain. This is called the Identifier Alignment. If not, the SPF authentication fails.
- The sender is the address that is shown in the email’s From field. To get the sender from an email header, you need to look for the From header, which is usually near the top of the email header. The From header contains the sender’s address and sometimes the sender’s name, such as “Alice [email protected]” or “Bob Smith [email protected]”
- Check if the Hostname matches the domain or subdomain specified in the SPF TXT record. If not, the SPF authentication fails. The hostname is the name of the computer or device that sent or received the email.
Remember, SPF is just one part of email authentication. Even if an email passes the SPF check, it could still fail other checks, like DKIM or DMARC.
Check the qualifier at the end of the SPF TXT record. It can be one of these four values: + (pass), ? (neutral), ~ (softfail), or – (fail). This indicates the policy of the domain owner for the SPF authentication result. For example, if the qualifier is -, it means that the domain owner wants to reject any email that does not pass the SPF authentication.
If the SPF authentication passes all the checks, the result is Pass. Otherwise, the result is Fail, Softfail, or Neutral, depending on the qualifier.
Was this helpful?
0 / 0