You may have come across an SPF record warning sign saying The DNS record type 99 (SPF) has been deprecated. This is because it was discontinued in 2014. The blog will discuss more on the same.
The Announcement of the Deprecation of DNS Record Type 99 (SPF)
The SPF development team imposed stricter policies during the initial days. This led to the emergence of the DNS record of type 99 (SPF). However, this SPF record deprecated in April 2014 as per RFC7208.
Presently, all SPF records should be published as a DNS TXT (type 16) Resource Record only.
The Reasons Behind “SPF Record Deprecated”
As per RFC7208 section 3.1, the regulations for assigning new DNS RR types were more uptight during the early development phase as compared to the present scenario. However, DNS servers and provisioning systems didn’t align well with the deployment of those DNS RR types which led to their obsoletion.
The developers learnt it was more viable to switch to the TXT RR type for SPF implication. Since then the DNS record type 99 (SPF) has been deprecated.
The Impact of the Deprecation on Existing SPF Implementations
Alternatives to SPF for Email Authentication
Sender Policy Framework help email providers verify if a mail server is authorized to send emails from a particular domain. Its alternatives are DKIM and DMARC, however, uptime monitoring services help too.
- DKIM authenticates emails using cryptography where digital signatures are added to verify a sender’s legitimacy. It works by adding a signature to the header which is shielded with encryption. All DKIM signatures enclose information that’s used by the recipient’s server to run verification checks.
The sender’s email server has a private DKIM key which is matched with the other half of the keypair called the public DKIM key. DKIM selector determines where to look for the key, and once it’s found, it’s used to decrypt the DKIM signature.
The values are compared. If they match, DKIM is valid.
- DMARC instructs the receiver’s server on how to deal with emails failing SPF and/or DKIM checks. You can choose to set the DMARC policy to none (no action is taken against failed emails), quarantine (failed emails are marked as spam), or reject (failed emails don’t enter the mailbox at all).
Once you have configured DMARC properly for your domain, you will start receiving reports that you should monitor to detect suspicious activities.
- Uptime monitoring is an automated method of informing the concerned team when a website goes down during an outage. It uses the same concept for email authentication as well by checking your record at 1-minute intervals 24/7. Authentication record uptime refers to the time that a record is properly configured and updated. The uptime monitor verifies the correctness of email authentication records. It notifies the concerned team if it detects any issues or discrepancies.
Updating SPF Configurations to Align with the Deprecation of DNS Record Type 99
If you are also seeing the DNS record type 99 (SPF) has been deprecated warning, then open the console and select the domain of the SPF record. Copy the values and create a record by choosing TXT as the record type.
How to Create and Publish an SPF TXT Record?
Safeguard your business reputation by attempting the following steps to create and publish an SPF TXT record:
Step 1: Make a List
The first step of SPF implementation is enlisting all the IP addresses permitted to send emails using your domain. This includes IP addresses of local networks and devices belonging to your team members, board members, and third-party vendors allowed to send emails on your behalf. Also, consider adding ESPs and in-office mail servers.
Step 2: Create your SPF Record
Once you have gathered the list, create your SPF record. Here’s what you have to do next.
- Specify the version using the v tag. Currently, there’s only one version, so you should start with v=spf1.
- This has to be followed by all the IP addresses added to the list created initially. Example: v=spf1 ip4:123.23.456
- After implementing all the include tags and IP addresses, end your record with ~all, -all, or ?all tag. The -all tag denotes a hard failure, whereas the ~all tag indicates a soft failure.
Step 3: Publish the Record to DNS
Your DNS manager is responsible for publishing the SPF record. Now, this could be an internal position or you can raise a request that your DNS provider does it for you.
Once you have published it, ensure using a free SPF record checker by PowerDMARC to have an error-free record.
- 5 Common DNS Vulnerabilities and How to Protect Your Network - December 24, 2024
- Introducing DNS Timeline and Security Score History - December 10, 2024
- PowerDMARC One-Click Auto DNS Publishing with Entri - December 10, 2024