Ever Wondered Which Domains Include Your SPF Record?
If you're a SaaS vendor, email service provider, or any organisation whose domain gets included in other companies' SPF records, you've likely asked yourself: "Who exactly is pointing their SPF records at my domain?"
SPF (Sender Policy Framework) allows domain owners to publish a list of IP addresses or subnets authorised to send email on their behalf. When another organisation adds your domain via an include: mechanism, they're essentially trusting your infrastructure to send mail as them. But there's no built-in way to discover the reverse — who's trusting you.
Until now.
The Problem: No Reverse Visibility
Imagine you're vendora.example.com, a company that sends transactional email on behalf of clients. Your clients — let's say example.org — add something like this to their SPF record:
v=spf1 include:vendora.example.com ~allWhen someone receives an email from example.org, their mail server checks this record to verify whether the sending server is allowed to act on their behalf. The receiving server follows the include: chain, eventually looking up vendora.example.com's SPF record to check the sending IP.
But as vendora.example.com, you have no native way to see which domains have included you. You might know your customers from your own records, but what about:
- Former customers who never cleaned up their DNS?
- Unauthorised parties referencing your domain?
- Domains you didn't even know about?
The Solution: SPF Macros + spf.guru
SPF records support macros — dynamic placeholders that get expanded at query time by the receiving mail server. Two macros are key here:
| Macro | Meaning |
|---|---|
%{ir} |
The reverse IP address of the connecting (sending) mail server |
%{o} |
The original domain from the SMTP MAIL FROM (envelope sender) |
By cleverly embedding these macros into your SPF record and pointing them at a logging service like spf.guru, you can capture who's including your domain in real time.
How It Works: Step by Step
1 Add the macro to your domain's SPF record
If your domain is vendora.example.com, update your SPF record to include the spf.guru macro:
v=spf1 include:i.%{ir}._d.%{o}.my.spf.guru ~all(You can add your other mechanisms alongside it, of course.)
2 A client includes your domain
Your client, example.org, has the following in their SPF record:
v=spf1 include:vendora.example.com ~all3 An email is sent from example.org
When a mail server at IP 203.0.113.42 sends an email with a MAIL FROM of user@example.org, the receiving server performs an SPF check. It:
- Looks up the SPF record for
example.org - Sees
include:vendora.example.com - Looks up the SPF record for
vendora.example.com - Finds the macro
include:i.%{ir}._d.%{o}.my.spf.guru - Expands the macros at query time:
%{ir}becomes42.113.0.203(the reversed IP)%{o}becomesexample.org(the original envelope sender domain)
- Performs a DNS lookup for:
i.42.113.0.203._d.example.org.my.spf.guru4 spf.guru logs the query
The DNS query hits spf.guru's nameservers, which log the request. Now you have a record showing:
- The sending IP (from
%{ir}):203.0.113.42 - The original domain (from
%{o}):example.org - Pass/Fail result
5 View your results
Visit https://spf.guru to see all logged results, giving you a clear picture of which domains are including your SPF record and which IPs are sending on their behalf.
Why This Matters
This approach gives you powerful visibility:
- 🔎 Discover unknown includers — Find domains referencing your SPF record that you didn't know about.
- 🧹 Identify stale references — Spot former clients who still have your domain in their SPF records.
- 🛡️ Security monitoring — Detect unauthorised use of your sending infrastructure.
- 📊 Audit your footprint — Understand the full scope of your email sending reputation impact.
Important Considerations
⚠️ DNS Lookup Limits: SPF records are limited to 10 DNS lookups per evaluation. The spf.guru macro adds to this count, so make sure your clients' SPF records (and your own) don't exceed this limit.
ℹ️ Macro Support: While SPF macros are part of the RFC 7208 specification, not all receiving mail servers fully support macro expansion. In practice, most major providers do.
- Privacy: Be mindful that you're logging sending IPs and domain names. Make sure this aligns with your privacy policies.
- Response behaviour: The spf.guru service will respond to DNS queries in a way that doesn't break your SPF evaluation — check their documentation for details on pass/fail behaviour.
Quick Setup Checklist
- ✅ Visit https://spf.guru no need to set up an account
- ✅ Add
include:i.%{ir}._d.%{o}.my.spf.guruto your domain's SPF record - ✅ Keep your existing SPF mechanisms (IP addresses, other includes, etc.)
- ✅ Verify the record with an SPF checker tool
- ✅ Monitor the spf.guru dashboard for incoming data
Wrapping Up
SPF macros are an underutilised but powerful feature of the SPF specification. By combining them with a logging service like spf.guru, you gain reverse visibility into your SPF ecosystem — something that's traditionally been a blind spot for email infrastructure teams.
If you're a vendor or service provider whose domain appears in other organisations' SPF records, this simple addition to your DNS can unlock invaluable insights into who's relying on your sending infrastructure.
No comments:
Post a Comment