FreshBooks now supports SPF
Over the last year or so we’ve had conversations with our users in which we’ve heard a need to make FreshBooks work with the SPF mail authentication protocol. SPF, or Sender Policy Framework, is a way to publish a list of what mail servers are permitted to originate mail for a domain. The idea behind SPF is that if a spammer or malicious person forges your domain (a joe-job), the recipients can detect that the messages were forged and reject the mail, saving you from having to receive all the bounces, complaints, and retribution that you’d otherwise get.
Since FreshBooks sends mail on our users’ behalf, from their domains, until now any FreshBooks users who wanted to use SPF have had to list our mail servers’ IP addresses in their list of allowed mail servers, or permit all mail servers to send mail. Neither of those situations are ideal, especially after last weekend’s server move, in which the address from which we send mail changed! And there’s always the chance that it could change again in future.
To address this problem, SPF allows you to include the contents of someone else’s record in your own with the include: directive, essentially saying “we trust this other organization’s list of mail servers”, and FreshBooks is now publishing an SPF record which you can include in your own.
To use it, add
include:_spf.freshbooks.com
to your SPF record (and remove any of a:server1.freshbooks.com, ip4:72.32.48.26, and ip4:72.3.208.114 that you might already have there.)
With that, you’ve told anyone checking your SPF record that you trust FreshBooks’ own list of our mail servers, which we’ll always keep up to date with all of the hosts from which your mail may originate, and your customers who check your SPF record will know that mail FreshBooks sends on your behalf is legitimate.
We hope this will make it easier to use SPF with FreshBooks!
Copyright © 2000-2009
10:07 pm
Just wanted to make sure that the underscrore in _spf was supposed to be there.
10:18 pm
Joe: Yep! That’s the standard for “this DNS record only exists as an SPF record for other domains to include”.
The underscore prevents the possibility of colliding with a hostname (since hostnames can’t contain underscores). That’s why they’re used in SRV records, too.
1:14 am
Good info to know! I appreciate the extra effort to explain it, rather than just “yes that’s correct”.
2:04 am
It’s “sender policy framework”.
1:03 pm
Fixed, thanks!
11:24 pm
I don’t understand the working of this. How is the DNS record supposed to look like. I have set up SPF records for two other external mail servers and in both instances I was instructed to create DNS record or the type TXT and then add the following line: v=spf1 include72smtp.whatever.com ~all. How does this go together with the snippet of code you posted in your blog? Would it be possible to create the TXT record and then add the following for freshbooks.com?
v=spf1 include72spf.freshbooks.com ~all
11:56 am
Hi Henning,
You can add the snippet Rich provided to the end of your existing txt record. So, if your current record said:
v=spf1 include72smtp.whatever.com ~allYou should update it to say:
v=spf1 include72smtp.whatever.com ~all include:_spf.freshbooks.comBelow is a link to the documentation from the SPF project, which explains what each of these directives means.
http://www.openspf.org/SPF_Record_Syntax
11:23 pm
Um, I think Henning’s record should look like this:
v=spf1 include:72smtp.whatever.com include:_spf.freshbooks.com ~all
The ~all should go at the end of the record and multiple include: statements are valid.
See here:
http://old.openspf.org/mechanisms.html and here:
http://www.spamresource.com/2006/09/sender-policy-framework-spf-trick-of.html and here:
http://www.kitterman.com/spf/validate.html
11:38 pm
Here’s another helpful page that discusses using multiple include: mechanisms.
http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-02.html#mech-include
10:26 am
Hello Kevin and Scott. Thank you very much for your help. I did as per Scott’s suggestion, ran a 3rd party validation tool, and it seems to be working very well.