SPF and SOHO privacy

SPF (Sender Policy Framework) is cool stuff and when implemented properly helps vanity domain owners play on par with big email service providers, like gmail.

However, in its basic form it presents privacy concerns for small offices operating out of their homes, or any other small mail senders.

The problem is that anyone on the Internet can look up a list of IP addresses allowed to send mail for a given domain. Some users may feel uneasy having their home IP address known to everybody.

Here is how this issue can be resolved while still reaping full benefits of SPF.

I’ll take 123unix.com domain SPF setup for an example.

Normally, outbound email for 123unix.com is served by my main hosting provider, which happens to be DreamHost at the moment.

And, normally, DreamHost does not publish SPF records for its customers. Still, DreamHost has recommendations about adding such a record on a per-domain basis.

If I’d like to implement basic SPF for 123unix.com I would add this custom DNS record:

123unix.com. TXT "v=spf1 include:netblocks.dreamhost.com ~all"

Now, I’d like to add another “allowed” sender for 123unix.com domain – my home server. Suppose it has IP address of and the hostname of homeserver.123unix.com
The record would look like either:

123unix.com. TXT "v=spf1 include:netblocks.dreamhost.com a:homeserver.123unix.com ~all"


123unix.com. TXT "v=spf1 include:netblocks.dreamhost.com ip4: ~all"

In either case I have my home IP address advertised to the world which is the concern of this article.

Here the advanced magic of macro expansion in SPF comes to the rescue!

Instead of adding one DNS record, two will need to be added:

123unix.com. TXT "v=spf1 include:netblocks.dreamhost.com exists:%{i}.allowed-senders.123unix.com ~all" A

The first record rules that in addition to the list of dreamhost.com’s netblocks list, the sender’s IP address (%{i}) should also be checked against the domain’s own DNS database. Usually this technique is used to check the opposite – if the sender is in some sort of a blacklist, with the qualifier of “-“, like this: exists:%{ir}.sbl.spamhaus.example.org, but a positive test (with the implicit qualifier of “+”) can be useful sometimes too.

The second record specified the entry for the domain’s own DNS database to match home IP address. The result for the A-type DNS record lookup can be anything, it just needs to exist.

Bingo! This way, one cannot get the complete list of allowed senders for the domain, they can only test if a given address is in the list, thus preserving privacy of a small email sender.