Site icon Mailtrap

SPF Record Explained

Today, an SPF record is a must-have DNS record for reliable email delivery. It is a type of email authentication to protect your emails from being forged. This secures your reputation from phishers and spoofers. Find out more about the Sender Policy Framework to increase the credibility of your product.

What is an SPF record?

One of the DNS resource records is TXT. It is mostly used to denote facts about the domain and provide information to outside sources. It’s a must-have for email authentication. For example, an email comes from a server to your internet service provider (ISP). ISP can authenticate the email using a dedicated TXT type record, SPF record. This record contains data about the trusted servers authorized by your domain so, your ISP can identify a source an email is coming from and detect a forged email. SPF or Sender Policy Framework is a primary (but not the only) way to authenticate your email.  

Email authentication standards – what are they for?

SMTP can’t protect your app from frauds such as email spoofing, phishing, and spam. It lacks a feature to identify the origin of an email message and validate its domain. Instead, email authentication can do the job. 

There are three widely adopted standards to authenticate emails: SPF, DKIM, and DMARC. In brief, each of them does the following:

SPF, DKIM, and DMARC differ in technical implementation, butthey all draw on DNS records. You can also encounter other authentication methods like ADSP, Sender ID, iprev, and so on. Some of them are either unclaimed or have been deprecated. 

Sender Policy Framework or SPF

Sender Policy Framework appeared officially as an experimental standard in 2006. Eight years later, SPF was approved as a proposed email authentication standard

In plain English, SPF is a protocol according to which the mail servers decide whether to receive or reject an incoming email. The decision is made using the SPF information in TXT records as for the list of authorized IP addresses within a particular domain. If the email has been sent from one of these addresses, it’s not forged and can be let in.

When you need SPF 

If your digital product sends transactional or even commercial messages, make sure to implement Sender Policy Framework. This is currently required by internet service providers (Google and Yahoo). If you don’t have a valid SPF record, or it is incorrect, your ISP might run secondary email filtering. Failed SPF authentication means that your email will be recognized as spam or even blocked. 

SPF scares off spammers and phishers by filtering out forged emails. It keeps your product reputation spotless. But, to complete the picture, it is better to implement a full-scale email authentication (SPF + DKIM + DMARC).

Cons of SPF email authentication

Common SPF misconceptions

SPF is a necessary measure but it is not a silver bullet against spoofing and phishing. Make sure you are aware of the following misconceptions so you can use the framework correctly. 

SPF works with the envelope-from address (return pass) of email. It is invisible to the user unlike the header-from address, which refers to the message content. Hence, an SPF record can’t protect the visible address of the sender.

The framework leverages spam filtering systems to check emails. Also, it protects against forged messages from a specific domain. However, it does not offer significant improvements in terms of fighting spam.

Actually, the mail server sending a message is being authorized according to the SPF record. So, the framework works at the domain level. 

Keep in mind that you can only have one SPF record. Otherwise, you’ll get ‘permerror’- an error indicating that the retrieved SPF policy record could not be interpreted. 

Even if you have all the messages authorized according to DKIM, you still need an SPF record to identify the domain. Moreover, the Sender Policy Framework is required within cloud services and IPv6 networks. So, the best way to combat spoofing and secure your email is to implement SPF, DKIM, and DMARC.

How does SPF work?

In general, the SPF in action consists of the following steps:

For example, a server with IP address ‘234.213.42.2’ has sent an email from ‘home@apple.com’. During the SPF check, the inbound server will request the ‘apple.com’ domain if this IP address is authorized to send the email. If yes – welcome, if not – the message will be sorted according to the mechanism specified in the SPF record. 

SPF record syntax

First, let’s anatomize a simple SPF record example.

“v=spf1 +a +mx redirect=example.com -all”

v = spf1 is a version number of the current record, and the rest are Mechanisms, Qualifiers, and Modifiers to specify different rules of SPF check. Here is what you can set up in your SPF record.

QualifierPurposeImplementation
+Accept. The host is allowed to send a message+
Reject. The host is not allowed to send a message
~Accept but mark. The host is not allowed to send a message but is in transition (the mechanism is for testing purposes)~
?Accept. The host validity is unstated?
MechanismPurposeImplementation
aDefines the DNS A record of the domain as authorized. If unspecified, the current domain is useda
a/<prefix-length>
a:<domain>
a:<domain>/<prefix-length>
allDefines policy for all other sourcesall
existsChecks validity of an A record for a provided domainexists:<domain>
includeIncludes the specified domain as authorized. If the domain does not have a valid record, you’ll get ‘permerror’include:<domain>
ip4Defines the IPv6 network range. Can be used with prefix, which denotes the range length. If no prefix is specified, /32 is the defaultip4:<ip4-address>
ip4:<ip4-network>/<prefix-length>
ip6Defines the IPv6 network range. Can be used with prefix, which denotes the range length. If no prefix is specified, /128 is the defaultip6:<ip6-address>
ip6:<ip6-network>/<prefix-length>
mxDefines the DNS MX record of the domain as authorized. I.e., the message must be sent by one of the domain’s incoming mail servers.mx
mx/<prefix-length>
mx:<domain>
mx:<domain>/<prefix-length>
ptr [deprecated]Defines the reverse hostname and subdomain of the sending IP address.ptr
ptr:<domain>
ModifierPurposeImplementation
expSpecifies the explanation that a sender will see if the message has been rejectedexp=<domain>
redirectReplaces domain with the current recordredirect=<domain>

What you should keep in mind:

Now, let’s put this knowledge into practice. 

Create an SPF record for your domain

Step 1 – Preparation

Step 2 – DNS control panel

Step 3 – SPF record

ip4:35.167.41.421 ip6:2a13:c025:e4:7a01:bc72:dcb5:7a13

include:sendgrid.net or include:mandrillapp.com

This is how the most common SPF record looks like:

"v=spf1 a mx -all"

Here, all A and MX records in this domain are authorized to send emails. Emails from anything beyond will be rejected. 

SPF record for multiple domains

Let’s say you have a primary domain – alpha.net with a record like this one v=spf1 a mx -all. and you need to make an SPF record for multiple domains like beta.net and gamma.net? 

The “include” mechanism allows you to designate other domains that are independent from your primary one. For example, alpha.net might send mail using beta.net and gamma.net.

v=spf1 include:beta.net include:gamma.net -all

Also, you can point to your primary domain by adding include:alpha.net in SPF records of your secondary domains: 

v=spf1 include:primary-domain.com -all

This will apply the rules from the primary domain for the secondary ones. 

Keep in mind that you cannot have more than one TXT record for SPF for a domain.

Can I split a large SPF record?

What if your SPF record looks like this?

v=spf1 a mx a:mail.alpha.com a:first.alpha.net a:second.alpha.org mx:third.domain.net ip4:34.243.61.237 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e include:sendgrid.net include:mandrill.com -all

It matches the requirement of 255 characters per string, but still it is very long. Hence, you can split it into several records that will be included in the main SPF record. Here is how it may go:

spf1.alpha.com TXT

v=spf1 a mx a:mail.alpha.com a:first.alpha.net a:second.alpha.org mx:third.domain.net -all

spf2.alpha.com TXT

v=spf1 ip4:34.243.61.237 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e -all

spf3.alpha.com TXT

v=spf1 include:sendgrid.net include:mandrill.com -all

alpha.com TXT

v=spf1 include:spf1.alpha.com include:spf2.alpha.com include:spf3.alpha.com -all

That’s it. All these records will be checked as one after the DNS update.

Validate your SPF record

The last thing we advise you to do is to validate your SPF record. Luckily, there are a bunch of actionable tools like SPF Record Check or SPF Syntax Validator. This will troubleshoot your record and prevent the annoyance in the future. 

How to create an SPF record using my DNS provider?

You can create and manage your SPF records using a respective console or control panel of your DNS provider. Some services give detailed instructions or guides on how to create TXT records. Below, you’ll find links to the guides of some top-rated providers. 

Also, we’ve collected a list of SPF specs for popular email providers so you can copy and paste them into your TXT record.

Email service providerSPF record
Gmailv=spf1 include:_spf.google.com ~all
Sendgridv=spf1 include:sendgrid.net ~all
MailChimpv=spf1 include:servers.mcsv.net ?all
Mandrillv=spf1 include:spf.mandrillapp.com ?all
Mailgunv=spf1 include:mailgun.org ~all

Check out Mailtrap Email API if you’re looking for a solution that has a straightforward setup process while also helping you monitor your deliverability via a dashboard with valuable insights, provides a dedicated IP address, and its automatic warmup. 

SPF record: v=spf1 include:_spf.smtp.mailtrap.live -all

SPF Troubleshooting: SPF record won’t validate

Here is a short list of common problems (and their basic solutions) one may encounter while trying to validate SPF records.

Once you’ve set up your SPF record, you can proceed to DKIM and DMARC protocols to make your email security and marketing campaigns a cut above the rest.

Exit mobile version