SPF Records

Sender Policy Framework (SPF) records allow domain owners to specify which hosts are permitted to send email on behalf of their domains. Normal SMTP allows any computer to send an email claiming to be from anyone. Thus, it's easy for spammers to send emails with forged From: addresses. SPF allows a domain owner to use a special format of DNS TXT records to specify which machines/hosts are authorized to transmit email for their domain, making it difficult to forge From: addresses.

How are SPF records used?

A domain's SPF records are used by other servers in 2 ways.

What does the wisc.edu SPF record say?

Office 365 team has published a basic set of unrestricted SPF records. You can look them up by querying the TXT record for the domain. For example:

  > dig +short TXT wisc.edu
  "v=spf1 redirect=_spf.wiscmail.wisc.edu"

This SPF record tells other servers to reference the SPF records in the "_spf.wiscmail.wisc.edu" domain. They look like this:

  > dig +short TXT _spf.wiscmail.wisc.edu
  "v=spf1 ip4:144.92.197.128/25 ?all"

This record tells other servers that any server in the IP range of 144.92.197.128/25 is allowed to send for the domain. The "?all" modifier at the end means that all other servers should be allowed to send mail on behalf of the domain as if there were no SPF records published at all.

Do I have to worry about mail from my server being rejected?

As you can see, the SPF records for the wisc.edu domain are not restrictive. If mail with a From: address of @wisc.edu is sent through UW-Madison's central mail servers either via Office 365, smtpauth.wiscmail.wisc.edu, smtp.wiscmail.wisc.edu or relay.mail.wisc.edu an SPF check should return a PASS response. However, if you are running a server that is sending mail using From: addresses in the @wisc.edu domain, but the server is not explicitly listed in the SPF record an SPF check will result in a neutral return. It is unusual for a receiving system to reject mail solely based on a neutral SPF return value.

SPF records for UW Madison Office 365 hosted domains

If your domain is hosted by Office 365, we encourage you to publish SPF records that reference the _spf.wiscmail.wisc.edu SPF record. You can either:

Be aware that specifying -all (Fail) instead of ~all (SoftFail) or ?all (Neutral) may result in delivery problems.

Where can I get more information?

For more information about SPF record syntax: http://www.openspf.org/SPF_Record_Syntax

If you are an Office 365 domain administrator and you would like assistance reviewing the SPF record for your domain, please contact wmplusadmins@doit.wisc.edu.