Note: If you are implementing SPF / Sender ID for the first time, you should also implement Yahoo! DomainKeys at the same time
Sender ID and Sender Policy Framework (SPF) are two related methods of email authentication that enable organizations to specify which mail servers are authorized to send email in their name. Originally developed to fight email address forgery and phishing, these standards have also been integrated into many anti-spam systems. Since 2003, SPF has become the most widely adopted email authentication standard, in use at AOL and many other domains. Sender ID is a variation of SPF developed by Microsoft, in use at Hotmail, msn.com, and other domains.
Both Sender ID and SPF utilize the DNS system to provide information about which servers are authorized to send email in a domain’s name. Email publishers add a TXT record to the DNS zone that identifies authorized mail servers. When an ISP receives email, it looks up the information associated with the domain sending the message. If the actual sending mail server is on a domain’s list of authorized mailers, the recipient system treats the email as legitimate. If the sending mail server is not on the authorized list, the recipient system treats the email as suspicious and subjects it to anti-spam filters, because it does not know if the mail can be trusted.
The "From" address in email marketing sent from Convio will typically use an Internet domain owned by the Convio client in question. To pass a Sender ID check, SPF records which identify Convio as a legitimate source of email need to be published by each client in the DNS for each domain they use in "From" lines in email marketing.
Determining what the complete SPF policy should be for a domain is a matter for each organization's IT team; however, Convio offers the following guidance:
IF your organization operates its own office email server AND Convio is the only service that sends email on your organization's behalf, then the following SPF record will meet your needs:
v=spf1 +mx +include:outboundmail.convio.net ?all
An SPF-based spam filter will translate this as: "Servers specifically allowed to send mail are (i) our inbound mail server(s), and (ii) Convio's servers. For mail from any other source, treat it as if this SPF record was never published."
IF your organization uses multiple email service providers, then your SPF record will need to be expanded to identify additional authorized email servers. We recommend you adopt the following SPF policy: For every domain used in the "From" address of Convio emails, publish an SPF record which explicitly authorizes Convio's servers as legitimate email sources for that domain. To do this, include the following rule in your SPF records:
You should do this for every domain used in "From" addresses of email sent from Convio, including subdomains.
The website http://www.openspf.org/ has a wizard for creating SPF records, and lots of information about SPF.
It's strongly recommended that you syntax check your SPF record prior to publishing it, and verify that it covers both Convio and any other systems that send mail for your domain. Below are some links to SPF tools:
You can also open a ticket with Convio Support and ask us to review your draft SPF record.
An SPF record is published as the value of a TXT record type, whose name is the domain itself. SPF-checking email servers can differentiate it from other TXT records using the fact that it starts with an SPF version signature.
An example of the DNS syntax used in a zone file for the BIND (aka named) DNS server software would be:
@ 86400 IN TXT "v=spf1 +mx +include:outboundmail.convio.net ?all"
Other DNS software uses different input formats - consult your vendor's documentation.
If you are using an offsite vendor, perhaps the company who provides your office internet access, to host your DNS for you, they will typically have provided a web interface where you will need to input these DNS records.
A note about Sender ID DNS record formats
The Sender ID standard specifies its own slightly different DNS record format, which confusingly begins with spf2.0/pra instead of v=spf1. However, a "v=spf1" record will be used as a fallback to perform Sender ID checks if it is available. Thus, for most purposes there is no need to publish both, it is sufficient to use the original SPF format.
If you are already using both SPF v1 and Sender ID "spf2.0/pra" records, the Sender ID record will take precedence, but the rule authorizing Convio as a sender should be added to both.
Email sent from Convio will always pass SPF tests, because Convio has properly published SPF records for domains we manage that cover all client email.
However, if your organization does not also add SPF records to your own DNS, your email will fail Sender ID tests and will often be treated as suspicious or untrustworthy. Recipient systems subject email that fails Sender ID to a variety of delivery barriers, ranging from complete rejection, to diversion to spam folders, to suppression of images or working hyperlinks. Some Microsoft mail clients flag mail that fails Sender ID as untrustworthy in their user interface.
Because of the critical importance of sender verification for good email delivery, the Convio product (both Email Campaigns and Quick Email) now has a built-in ability to monitor whether the domain names your organization uses comply with these standards. Our tool will remind you that you need to implement these standards every time you send an email job until your organization comes into compliance.
DomainKeys is a separate email verification standard utilized by Yahoo!, and is necessary to ensure good email delivery to recipients using Yahoo as an ISP. Instructions to configure DomainKeys can be found here
The Convio application will continuously test the domains you use to send email from our system for compliance with both DomainKeys and Sender ID. Since different ISPs use different standards, it is important that your organization implement both. Note that, unlike DomainKeys, failure to comply with Sender ID does not require the Convio software to make any changes to your email.
Clients on GetActive, who will be migrating to Convio, are advised to configure their DNS to designate both Convio and GetActive as authorized email service providers at this time, thus avoiding the need to do anything at the time of migration. To do so, include both the GetActive and the Convio designators in your SPF / Sender ID record, like this:
GetActive clients are also advised to configure their DNS for Convio's Yahoo! DomainKeys signature which will be applied automatically to their email once they migrate.
Please see the Email Sender Verification Overview to learn why this is important to your organization.
SPF is based on verifying the "Return-Path" header from an email, often called the "envelope sender". Users of email do not normally see this address. Sender ID performs similar checks, but (generally) uses the "From" address of an email that is displayed to users. To understand the difference, consider how these two methods treat email sent from Convio. Recipient systems using SPF will check the envelope from address, which is always a Convio.net address, and therefore look up the DNS record for Convio.net to see if the mail is authorized. Recipients using Sender ID will check the message from address, which is usually a client-provided email address. So Sender ID will look up the DNS record of the sending organization to see if Convio mail servers are authorized to send in its name. Thus, Sender ID is a more useful standard to ensure that email sent from Convio is trusted.