SPF Macros are an effective and important Sender Policy Framework feature that is used when domain owners demand a more dynamic and scalable SPF record for authenticating their email domains. The Spf Macros feature is a part of the SPF record syntax, defining character sequences that get replaced by metadata from individual emails requiring SPF validation. This in turn helps create simplified SPF records, avoiding the generation of long and complicated SPF records. 

We at PowerDMARC designed our critically acclaimed SPF management solution – PowerSPF in a way that makes use of SPF Flattening and SPF Macros technologies to offer extensive flexibility with regard to SPF authentication and record optimization. Over the years PowerSPF has become a customer favourite due to its sheer ease of use and effectiveness. 

SPF Macros Explained

SPF macros are character sequences that can be used to simplify your SPF record configuration by replacing mechanisms defined within the said SPF DNS TXT record, as explained under RFC 7208, section 7.

SPF records are mostly simple, and instructions for the recipients’ servers regarding the treatment of illegitimate emails coming from your domain can be laid down using SPF mechanisms, qualifiers, and modifiers. However, there are certain situations where SPF mechanisms don’t suffice and SPF macros have to be brought into the picture. 

SPF macros are represented by a percent sign (%) and include a combination of two or more letters, modifiers, and delimiters. During the SPF authentication process, the SPF macros are evaluated and replaced with their corresponding values as explained in 

For example, the %s and %d denote the sender’s address and domain name linked with the checked identity, respectively. 

Modifiers like r,l, or o are applied to extract particular elements of the address or domain, and delimiters like – or . help separate different elements within the macro.

Types of SPF Macros

SPF macros are denoted by different single characters that are enclosed by curly braces {  } and prepended by a percent (%) sign. For example: %{o}. Here are the core macros. 

• %{s}: This represents the sender’s email address. Example- [email protected].
• %{l}: It’s used to denote the local part of the sender. Example- Mark.
• %{o}: This highlights the sender’s domain. Example: domain.com.
• %{d}: It specifies the authoritative domain of the current SPF policy, which is mostly the sender domain, but may also denote other domains when evaluating include: statements.
• %{i}: It’s added to an SPF record to specify the source IP address of the message, e.g. 503.0.123.7.
• %{v}: You can use this SPF macro to add the validated domain name of the IP address included using the %{i} macro.
• %{h}: It represents the HELP/EHLO domain.

How do SPF Macros Work? 

SPF macros allow domain owners to define variables and references within your SPF record, which can be dynamically expanded at the time an email receiver checks the SPF record. This enables you to create more manageable and adaptable SPF records.

Let’s consider the following example-

“v=spf1 include:%{i}_.%{d}._spf.powerdmarc.com ~all”

• Here, the include: mechanism contains the SPF macros. 
• There are two SPF macros, each represented by a character sequence of percent sign, left curly brace, macro letter, and the right curly brace. In the above example, %{i} denotes the sender’s IP address, and %{d} represents the sender domain from the ‘MAIL FROM’ command.
• So, when an email from your domain with the 503.0.123.7 IP address is sent, the server accepts the message and tries to look up the DNS record. 
• Once the SPF record is extracted, the encountered SPF macros are substituted by the receiving mail server with the appropriate values.
• The SPF record, with macros replaced by their actual values, is then used to decide whether the incoming email passes or fails SPF validation. 

When are SPF Macros Used?

SPF macros can be used in a range of different scenarios depending on the needs of domain owners. They can come in handy if you want to simplify a complex email authentication infrastructure, use several third-party email handling services, or if you simply want to reduce the size of your SPF record. 

Here are some usual scenarios when it’s advised to include SPF macros in your SPF record:

Multi-Domain Environments

Macro SPF allows a streamlined and adaptable approach by eliminating the need to create multiple SPF records for each domain or subdomain. You can use a combination of mechanisms and macros to merge several records into one.

Large Email Infrastructures

Companies with extensive email infrastructures, utilizing multiple mail servers, may find SPF macros invaluable. These macros provide a way to define rules and conditions that encompass a range of IP addresses or subnets dynamically.

Third-Party Services

Macro SPF facilitates easy inclusion of third parties who send emails on your behalf by ensuring minimal instances of false positives.

Solving Organizational Challenges Using SPF Macros

You can include multiple SPF macros in a record and get rid of common issues highlighted during SPF inspections done manually or using an SPF record lookup tool. Here’s what you can potentially do:

Example 1: Allow Individual IP Addresses by Adding a Single DNS Record for Each

Multiple include: statements are used to prevent an SPF record from getting too long. However, this doesn’t eliminate the problem but only delays it. You can resolve this using the %{i} SPF macro in the global policy and then add an individual DNS record containing all the IP addresses you allow sending messages from. 

Your global policy will appear somewhat like this:

example.com IN TXT “v=spf1 exists:%{i}._spf.example.com -all”

Then, you have to create a DNS record enlisting all the IP addresses. It would look something like this-

405.0.112.1._spf.example.com IN A 127.0.0.2

405.0.112.2._spf.example.com IN A 127.0.0.2

Here, 405.0.112.1 and 405.0.112.2 are allowed IP addresses. 

The exists: mechanism in the global policy allows the sender to be authorized if there is a DNS A record present at the specified address. You can add any value for the A record; it should just be a valid and existing address. However, refrain from using a publicly routable address.

Example 2: Restrict a Third-Party to Send Messages From a Specific Address

Adding third-party sending sources like [email protected] will require you to make certain SPF configurations that will eventually send emails from any email address on their domain. This is potentially dangerous.

Instead, restrict third-party services to send emails from specific addresses only by using the following record-

example.com IN TXT “v=spf1 include:%{l}._spf.domainexample.com -all”

In this, the %{l} macro will be replaced with the local part of the domain. For example: in [email protected], the local part is ‘billing’. So, emails sent from any address other than [email protected] of the domainexample.com domain will not pass the SPF authentication.

Take Advantage of Macros in Your SPF Setup

SPF Macros have existed ever since SPF was introduced into the email security ecosystem and have been widely supported by MTAs to enable dynamism and scalability in terms of SPF authentication, record creation, and management. PowerSPF integrates SPF Macros seamlessly so that our clients can generate SPF records with enhanced flexibility.  

Try our SPF solutions today – contact us for a one-on-one demo with an experienced email security expert!