Today, an SPF record is a MUST-have DNS record for reliable email delivery. It is a type of email authentication to protect your emails from being forged. This secures your reputation from phishers and spoofers. Find out more about the Sender Policy Framework to increase the credibility of your product.
What is an SPF record?
One of the DNS resource records is TXT. It is mostly used to denote facts about the domain and provide information to outside sources. It’s a must have for email authentication. For example, an email comes from some server to your internet service provider (ISP). ISP can use a dedicated TXT type record, SPF record, to authenticate the email. This record contains data about the trusted servers authorized by your domain. So, your ISP can identify a source an email is coming from and detect a forged email. SPF or Sender Policy Framework is a primary but not the only standard to authenticate your email.
Email authentication standards – what are they for?
SMTP can’t protect your app from such frauds as email spoofing, phishing, and spam. It lacks a feature that would identify the origin of an email message and validate its domain. Email authentication can do the job.
There are three widely adopted standards to authenticate emails: SPF, DKIM, and DMARC. In brief, each of them does the following:
- SPF checks that the IP address the email comes from is authorized
- DKIM checks the message using keys for signature-verification
- DMARC encloses both approaches in one go
SPF, DKIM, and DMARC differ in technical implementation, but all they draw on DNS records. You can also encounter other authentication methods like ADSP, Sender ID, iprev, and so on. Some of them are either unclaimed or have been deprecated.
Sender Policy Framework or SPF
Sender Policy Framework appeared officially as an experimental standard in 2006. Eight years later, SPF was approved as a proposed email authentication standard.
In plain English, SPF is a protocol according to which the mail servers decide whether to receive or reject an incoming email. The decision is made using the SPF information in TXT records as for the list of authorized IP addresses within a particular domain. If the email has been sent from one of these addresses, it’s not forged and can be let in.
When you need SPF
If your digital product sends transactional or even commercial messages, make sure to implement Sender Policy Framework. This is a thing required by internet service providers so far. If you don’t have a valid SPF record, or it is incorrect, your ISP might run secondary email filtering. Failed SPF authentication means that your email will be recognized as spam or even blocked.
SPF scares off spammers and phishers by filtering out forged emails. It keeps your product reputation spotless. But, to complete the picture, it is better to implement a full-scale email authentication (SPF + DKIM + DMARC).
Cons of SPF email authentication
- It is troublesome to keep SPF records up-to-date if you change ISP or add mail streams
- SPF alone does not guarantee that your message will pass authentication
- SPF records break plain message forwarding
Common SPF misconceptions
SPF is a necessary measure , but it is not a silver bullet against spoofing. Make sure you are aware of the following misconceptions to use the framework correctly.
- Full domain protection from spoofing
SPF works with the envelope-from address (return pass) of email. It is invisible to the user unlike the header-from address, which refers to the message content. Hence, an SPF record can’t protect the visible address of the sender.
- With SPF, you get direct protection against spam
The framework leverages spam filtering systems to check emails. Also, it protects against forged messages from a specific domain. However, it does not offer significant improvements in terms of fighting spam. More on this, you can learn in the blog post about how to avoid emails going to spam.
- SPF authorizes the email sender
Actually, the mail server sending a message is being authorized according to the SPF record. So, the framework works at the domain level.
- One SPF record per each authorized domain
Keep in mind that you can have only one SPF record. Otherwise, you’ll get ‘
permerror’ – an error indicating that the retrieved SPF policy record could not be interpreted.
- Email authentication with DKIM only is enough
Even if you have all the messages authorized according to DKIM, you still need an SPF record to identify the domain. Moreover, the Sender Policy Framework is required within cloud services and IPv6 networks. So, the best way to combat spoofing and secure your email is to implement SPF, DKIM, and DMARC.
How does SPF work?
In general, the SPF in action consists of the following steps:
- Creating an SPF record. This establishes an authentication policy and defines mail servers authorized to send emails from a particular domain.
- DNS lookup. An incoming message is being verified in the DNS. The domain name should be listed as the “envelope from” address. Then, the inbound server checks whether the IP address the email is sent from is authorized in the SPF record. If it doesn’t match any address present in the record, the SPF authentication is marked as failed.
- Authentication outcome. The mail server either delivers, flags, or rejects the message based on the rules specified in the SPF record (and a multitude of other factors).
For example, a server with IP address ‘22.214.171.124’ has sent an email from ‘email@example.com’. During the SPF check, the inbound server will query the ‘apple.com’ domain to see if this particular IP address is authorized to send the email.
A successful result will increase the odds of an email making its way to an inbox. A failed SPF will likely lead to a message landing in spam or a virtual trash bin.
SPF record syntax
First, let’s anatomize a simple SPF record example.
“v=spf1 +a +mx redirect=example.com -all”
v = spf1 is a version number of the current record, and the rest are Mechanisms, Qualifiers, and Modifiers to specify different rules of SPF check. Here is what you can set up in your SPF record.
|+||Accept. The host is allowed to send a message||+|
|–||Reject. The host is not allowed to send a message||–|
|~||Accept but mark. The host is not allowed to send a message but is in transition (the mechanism is for testing purposes)||~|
|?||Accept. The host validity is unstated||?|
|a||Defines the DNS A record of the domain as authorized. If unspecified, the current domain is used||a|
|all||Defines policy for all other sources||all|
|exists||Checks validity of an A record for a provided domain||exists:<domain>|
|include||Includes the specified domain as authorized. If the domain does not have a valid record, you’ll get ‘permerror’||include:<domain>|
|ip4||Defines the IPv6 network range. Can be used with prefix, which denotes the range length. If no prefix is specified, /32 is the default||ip4:<ip4-address>|
|ip6||Defines the IPv6 network range. Can be used with prefix, which denotes the range length. If no prefix is specified, /128 is the default||ip6:<ip6-address>|
|mx||Defines the DNS MX record of the domain as authorized. I.e., the message must be sent by one of the domain’s incoming mail servers.||mx|
|ptr [deprecated]||Defines the reverse hostname and subdomain of the sending IP address.||ptr|
|exp||Specifies the explanation that a sender will see if the message has been rejected||exp=<domain>|
|redirect||Replaces domain with the current record||redirect=<domain>|
What you should keep in mind:
- One SPF record string cannot exceed 255 characters. Use multiple records if necessary
- Some DNS providers may not require quotations to enclose the record data. Check it in advance
- Records for subdomains should be named respectively (best for best.example.com)
- To avoid unreasonable load on the DNS, the total number of mechanisms including modifiers should be limited to 10.
Now, let’s put this knowledge into practice.
Create an SPF record for your domain
Step 1 – Preparation
- Collect all mail servers and IP addresses that will be specified as authorized in the SPF record
Step 2 – DNS control panel
- Access the DNS control panel of your ISP and find the section of the TXT type record.
Step 3 – SPF record
- Start with the version tag:
v=spf1. Next versions will be
- Insert all the IP addresses you’ve collected to specify as authorized:
- Add the include tag for each third-party email service to designate it as a trustworthy sender:
- Leverage other mechanisms, qualifiers, or modifiers to set up the SPF record.
- The all tag is usually used to finalize the record.
-all– all unspecified servers are not authorized (emails will be rejected).
~all– all unspecified servers are not authorized, but emails will be marked and accepted.
+all– any server is authorized (quite undesirable option).
That’s how the most common SPF record looks like:
"v=spf1 a mx -all"
Here, all A and MX records in this domain are authorized to send emails. Emails from anything beyond will be rejected.
SPF record for multiple domains
Let’s say you have a primary domain – alpha.net with a record like this one
v=spf1 a mx -all. And you need to make an SPF record for multiple domains like beta.net and gamma.net?
The “include” mechanism allows you to designate other domains that are independent from your primary one. For example, alpha.net might send mail using beta.net and gamma.net.
v=spf1 include:beta.net include:gamma.net -all
Also, you can point to your primary domain by adding include:alpha.net in SPF records of your secondary domains:
v=spf1 include:primary-domain.com -all
This will apply the rules from the primary domain for the secondary ones.
Keep in mind that you cannot have more than one TXT record for SPF for a domain.
Can I split a large SPF record?
What if your SPF record looks like this?
v=spf1 a mx a:mail.alpha.com a:first.alpha.net a:second.alpha.org mx:third.domain.net ip4:126.96.36.199 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e include:sendgrid.net include:mandrill.com -all
It matches the requirement of 255 characters per string, but still it is very long. Hence, you can split it into several records that will be included in the main SPF record. Here is how it may go:
- First, create separate records. Their names should relate to the current domain like this:
v=spf1 a mx a:mail.alpha.com a:first.alpha.net a:second.alpha.org mx:third.domain.net -all
v=spf1 ip4:188.8.131.52 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e -all
v=spf1 include:sendgrid.net include:mandrill.com -all
- Now, you can tweak your initial SPF record in this way:
v=spf1 include:spf1.alpha.com include:spf2.alpha.com include:spf3.alpha.com -all
That’s it. All these records will be checked as one after the DNS update.
Validate your SPF record
The last thing we advise you to do it to validate your SPF record. Luckily, there are a bunch of actionable tools like SPF Tools by EasyDMARC, SPF Record Check, SPF Syntax Validator, or similar. This will troubleshoot your record and prevent the annoyance in the future.
How to create an SPF record using my DNS provider?
You can create and manage your SPF records using a respective console or control panel of you DNS provider. Some services give detailed instructions or guides on how to create TXT records. Below, you’ll find links to the guides of some top-rated providers.
Also, we’ve collected a list of SPF specs for popular email providers so you can copy and paste them in your TXT record.
|Email service provider||SPF record|