SPF macros are an effective and important Sender Policy Framework feature that is used when domain owners demand a more dynamic and scalable SPF record for authenticating their email domains. The SPF macros feature is a part of the SPF record syntax, defining character sequences that get replaced by metadata from individual emails requiring SPF validation. This in turn helps create simplified SPF records, avoiding the generation of long and complicated SPF records.
We at PowerDMARC designed our critically acclaimed SPF management solution – PowerSPF in a way that makes use of SPF Flattening and SPF Macros technologies to offer extensive flexibility with regard to SPF authentication and record optimization. Over the years PowerSPF has become a customer favourite due to its sheer ease of use and effectiveness.
To learn more, you can visit the official IETF document.
SPF Macros Explained
SPF macros are character sequences that can be used to simplify your SPF record configuration by replacing mechanisms defined within the said SPF DNS TXT record, as explained under RFC 7208, section 7.
SPF records are mostly simple, and instructions for the recipients’ servers regarding the treatment of illegitimate emails coming from your domain can be laid down using SPF mechanisms, qualifiers, and modifiers. However, there are certain situations where SPF mechanisms don’t suffice and SPF macros have to be brought into the picture.
SPF macros are represented by a percent sign (%) and include a combination of two or more letters, modifiers, and delimiters. During the SPF authentication process, the SPF macros are evaluated and replaced with their corresponding values as explained in
For example, the %s and %d denote the sender’s address and domain name linked with the checked identity, respectively.
Modifiers like r,l, or o are applied to extract particular elements of the address or domain, and delimiters like – or . help separate different elements within the macro.
Types of SPF Macros
SPF macros are denoted by different single alphabets or characters that are enclosed by curly braces { } and prepended by a percent (%) sign, that refers to specific mechanisms within your SPF record. Here are the core macros.
- %{s}: The “s” Macro represents the sender’s email address. Example- [email protected].
- %{l}: It’s used to denote the local part of the sender. Example- Mark.
- %{o}: This highlights the sender’s domain. Example: domain.com.
- %{d}: Similar to “o”, this Macro represents the authoritative sending domain. In most cases it is the same as the sender’s domain however, it may differ in some cases.
- %{i}: It’s used to extract the IP address of the sender of the message, e.g. 192.168.1.100
- %{h}: The hostname specified by the HELO or EHLO command used during the SMTP connection when the message is being sent is referred to by the %{h} macro.
There are many more Macros that can be specified in your record, however, we listed some common ones.
How do SPF Macros Work?
With SPF macros, domain owners can specify references to certain mechanisms within their SPF record, thereby replacing these mechanisms. During a DNS query by the receiving MTA, the references are then used to extract the mechanisms and expand your record helping create more manageable and adaptable SPF records.
Given below is an example of Macros used in an SPF record-
“v=spf1 include:%{i}_.%{d}._spf.powerdmarc.com ~all”
- Here, the include: mechanism contains the SPF macros.
- There are two SPF macros, each represented by a character sequence of percent sign, left curly brace, macro letter, and the right curly brace. In the above example, %{i} denotes the sender’s IP address, and %{d} represents the sender domain from the ‘MAIL FROM’ command.
- Considering 192.168.1.100 IP to be the IP address of the sending domain, when an email is sent from this IP the receiving server initiates a DNS query to look up the domain’s SPF DNS record
- Once the receiver looks up the sending domain’s SPF record, it comes across SPF macros which are then subsequently substituted with their corresponding values.
- This expanded SPF record is then examined to determine whether or not the email manages to pass SPF validation, or fails the check.
When are Macros Used in Your SPF Record?
SPF macros can be used in a range of different scenarios depending on the needs of domain owners. They can come in handy if you want to simplify a complex email authentication infrastructure, use several third-party email handling services, or simply want to reduce the size of your SPF record.
Given below are some common cases where SPF macros can prove to be advantageous:
Organizations with a Multi-Domain Infrastructure
Enterprise-level organizations operating multiple domains are best-suited users for SPF macros, although they can be used by organizations of all sizes. Macros provide substantially more flexibility and effective optimization of SPF records in comparison to traditional flattening methods, to ensure that SPF functions seamlessly in even multi-domain environments. This also eliminates the need for you to create multiple SPF records.
Large Email Infrastructures
Companies with complicated email infrastructures may need to incorporate a number of SPF mechanisms, best optimized using SPF macros. These macros will provide a way to define references to mechanisms, ensuring that the record doesn’t get too long and stays under the RFC-specified length of 512 octets.
Third-Party Services
Organizations using several third-party email vendors can now rest easy knowing that SPF won’t break, thanks to the inclusion of SPF macros that facilitate easy optimization of third-party includes while also ensuring your record doesn’t exceed the permitted limits for DNS and void lookups.
Organizations Resolve SPF Challenges with SPF Macros
You can include multiple SPF macros in a record and get rid of common issues highlighted during SPF inspections done manually or using an SPF checker. Here’s what you can potentially do:
1. Prevent Long SPF Records That Cause Temperror
When your SPF record has multiple include: statements, it can prevent your record from getting too long. However, this is not a permanent solution. By using SPF macros in your domain’s SPF setup, you eliminate the chances of your record exceeding the length limit specified by RFC for DNS TXT records (512 characters).
2. Limit DNS and Void Lookups and Mitigate Permerror
Organizations using multiple third-party sending sources and email vendors are prone to exceeding RFC-specified lookup limitations for DNS queries. This is because every vendor adds at least 1 or multiple lookups. This can pile on and cause your SPF record to break, resulting in SPF permerror.
By using SPF Macros to add references to IP addresses or domains of these external vendors you can limit unauthorized sources while ensuring that you stay under the lookup limits.
Take Advantage of Macros in Your SPF Setup with PowerSPF
SPF Macros have been extensively supported by MTAs to enable dynamism and scalability in terms of SPF authentication, record creation, and management. PowerSPF integrates SPF Macros seamlessly so that our clients can generate SPF records with enhanced flexibility.
Why is Flattening Your SPF Record Not Enough?
The traditional SPF flattening method proves to be effective in most cases involving small to medium-sized organizations with simpler setups and less number of SPF mechanisms. However, things may get progressively tougher when mechanisms increase, leading to the following unfavorable situations:
- The number of DNS lookups can be up to 10
- The length of the last DNS record might exceed 512 characters (Maximum allowed size for TXT DNS record)
- Authorized IPs and sending sources are publicly visible, raising privacy concerns
SPF Macros – A Better Approach
Built keeping enterprises with complex SPF setups in mind, yet equally effective for small and medium-sized organizations as well – Macros in SPF help you optimize and manage your records more efficiently in comparison to the typical flattening approach. Here’s how:
- Macros in SPF limit your DNS and void lookups to stay under the maximum limits of 10 and 2 respectively
- It maintains the character length of your record, ensuring it doesn’t spill over the limit of 512 characters
- Authorized IPs and sending sources are replaced by character references, hiding them from the public eye
SPF Flattening vs SPF Macros
Initial SPF record (5 lookups) | SPF Macros (1 lookup) | SPF Flattening (2 lookups) |
v=spf1 include:_spf.google.com include:zcsend.net -all | v=spf1 exists:%{i}.abcde12345.macrospf.powerspf.com -all | abcde12345.powerspf.com: v=spf1 ip6:2c0f:fb50:4000::/36 ip6:2a00:1450:4000::/36 ip6:2800:3f0:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2404:6800:4000::/36 ip6:2001:4860:4000::/36 ip4:74.125.0.0/16 ip4:35.191.0.0/16 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:72.14.192.0/18 ip4:64.233.160.0/19 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ip4:172.217.192.0/19 ip4:172.217.128.0/19 ip4:172.217.0.0/19 ip4:108.177.96.0/19 ip4:66.249.80.0/20 ip4:66.102.0.0/20 ip4:172.253.112.0/20 ip4:172.217.32.0/20 include:_s1.abcde12345.powerspf.com -all _s1.abcde12345.powerspf.com: v=spf1 ip4:172.217.160.0/20 ip4:172.253.56.0/21 ip4:108.177.8.0/21 ip4:130.211.0.0/22 ip4:136.143.160.0/23 ip4:135.84.82.0/23 ip4:35.190.247.0/24 ip4:165.173.128.0/24 ip4:135.84.81.0/24 -all |
Try our SPF solutions today – contact us for a one-on-one demo with an experienced domain and email security expert!
- Email Phishing and DMARC Statistics - November 22, 2024
- DMARC Compliance and Requirements - November 21, 2024
- What Is DMARC Policy? None, Quarantine And Reject - September 15, 2024