What is a DNS Sender Policy Framework (SPF) record?
Email security is something we can’t afford to overlook. Especially considering that over 90% of cyberattacks start with an email. Yep, you read that right! Hackers exploit email vulnerabilities and use it as the entry point for most cyberattacks.
Your emails could get caught in spam filters or worse, be used for spoofing or phishing attacks without proper protection. This can lead to miscommunications and, worst, trust issues.
The good news is there’s an easy way to protect your domain and improve its email. By setting up a sender policy framework record, or SPF record, your emails are properly verified and delivered to your recipients without issues.
Let’s walk through everything you need to know about SPF records — from what they are, why you need one, and how you can set it up in just a few simple steps.
What is an SPF record?
An SPF record, or Sender Policy Framework record, is an email security protocol that uses the DNS to verify the authenticity of emails sent from a specific domain. This helps prevent email spoofing and spam.
Much like a guest list for other servers, it tells them which servers are trusted to represent your domain. If an email comes from a server that isn’t on the list, it could be flagged as suspicious—or not delivered at all.
In doing so it:
- Prevents spoofing. Ensures only authorized servers can send emails from your domain.
- Enhances deliverability. Reduces the chances of legitimate emails being marked as spam.
- Protects your reputation. Safeguards your domain’s reputation by minimizing the risk of being associated with malicious activities.
An SPF record prevents unauthorized servers from impersonating your domain and sending malicious emails. Have it work alongside other email security protocols DKIM and DMARC, and you’ll get even robust email protection.
What do DKIM and DMARC have to do with your SPF record?
These are two other email protocols that you can use alongside the SPF record to protect your brand/domain.
Domain Keys Identified Mail (DKIM) is much like a digital seal. It protects your email from being tampered with and shows receivers that it indeed comes from your domain.
Domain-based Message Authentication, Reporting & Conformance (DMARC), on the other hand, serves as the policy manager. Think of DMARC as the guard for your email system. It decides what happens to incoming emails that fail your SPF or DKIM checks. It can either reject, quarantine, or let emails through. It acts as your safeguard, ensuring that only authorized emails are delivered. It also provides reports to help you monitor how well your email authentication is performing.
If configured correctly, these three can go a really long way in securing your domain’s reputation. That said, let’s take a closer look into your SPF record.
How does an SPF record work?
An SPF record tells the receiving mail server which servers can send emails for your domain. The receiving server checks your SPF record to see if the sender is on the “approved” list.
The SPF record is read from left to right, one rule at a time. It’s like how we read a sentence, moving from the beginning to the end. Each rule checks something specific, like whether the sender’s IP address is listed or if the email comes from an authorized mail server.
If the first rule matches, the check stops right there, and the email is either accepted or rejected based on that rule. If the first rule doesn’t match, it moves on to the next one, and so on. If none of the rules match, the final rule (called all) will determine what to do with the email.
Example:
v=spf1 rule1 rule2 rule3 -all
Here’s how it works:
- Rule 1: The receiving server checks if the sender’s IP matches the first rule. If it does, the email is accepted.
- Rule 2: If Rule 1 doesn’t match, it checks the second rule.
- Rule 3: If neither of the first two rules match, it checks the third rule.
- -all: If none of the rules match, the -all rule tells the server to reject the email.
Now that you understand how an SPF record works, let’s take a closer look at the components that make up a simple SPF record. These are the building blocks that define the rules for authorizing email senders on behalf of your domain.
What an SPF record looks like
An SPF record syntax is a string of text published in the DNS. It tells the receiving mail servers which IP addresses and mail servers are authorized to send an email. The SPF record consists of the following key components:
- Version identifier. This tells the DNS that the syntax is for an SPF and it also tells us the version of being used. The most common is v=spf1. As shown in our example above, this is found at the beginning of the SPF record.
- Mechanisms. These define the specific servers or IP addresses that are authorized to send email for the domain. Mechanisms are crucial for the SPF check. Mechanisms can include:
- Ip4 or Ip6 . Specifies the version of IP addresses allowed to send an email for your domain. There are two types of IPS: IPv4 or IPv6 addresses.
- a or mx – Allows mail servers listed in the domain’s A or MX records.
- include Includes the SPF record of another domain.
- ptr – This mechanism checks the reverse DNS record of the sender’s IP address. If the pointer (PTR) record matches the domain name, the sender is considered authorized. This is considered less reliable and often discouraged due to its complexity.
- exists – This checks whether a specific domain or IP address exists. If the domain or address resolves, it’s considered authorized to send mail.
- all – This is the catch-all mechanism that matches any IP address. It’s typically used as the last mechanism to define a default action and is followed by a qualifier, which we’ll discuss in more detail later.
While mechanisms are important, an SPF record can have zero or multiple mechanisms depending on the needs of the domain. At a minimum, an SPF record should include the version identifier (v=spf1) and, if applicable, the ‘all’ mechanism at the end.
- Qualifiers. Qualifiers define what happens when a mechanism doesn’t match. They work with the ‘all’ mechanism at the end of the record to decide how the receiving server should treat emails from unauthorized sources.
- Modifiers (Optional). Modifiers provide additional functionality to the SPF record, such as:
- Redirecting SPF checks to another domain’s SPF record.
- Adding explanations or comments.
Modifiers are not required, but they can be useful in more complex SPF configurations.
How to set up an SPF record: Step-by-step
An SPF record ensures that your emails are authenticated and reduces the chances of being marked as spam. Follow these steps to configure your SPF record:
- Determine the correct DNS zone
- Go to your Domain Manager
- Check for existing SPF records and update if necessary
- Create the SPF record
- Check for common mistakes
STEP 1: Determine the correct DNS zone
A DNS zone holds all your domain’s DNS records (like A, MX, and SPF records). You’ll need to find where your domain’s DNS is hosted (e.g., Cloudflare, Google Admin). Your SPF record must be added to the correct zone to be recognized.
You can check where your DNS zone is through the WhoIs lookup. Search for your domain name, then look for the Name Server information. If you still can’t make sense of who owns the name server, you can follow these steps instead:
- Copy the Name Server information.
- Open a DNS checker tool and lookup for A record.
- Paste the Name Server information and hit enter.
- The name server IPv4 address will appear. Copy it.
- Use an IP address lookup and do a search using the IPv4 address.
- Check the provider details to find where your DNS hosting is.
STEP 2: Log in to your DNS management platform
To begin editing your SPF record, you first need to log in to your DNS management platform. This is typically where all your domain settings are controlled, including your DNS records. Below are the general steps to log in to your DNS management platform, followed by specific instructions for Domain.com users.
- Log in to the DNS management platform provided by your domain registrar.
- Navigate to the section where DNS records are managed (often called “DNS Settings” or “DNS Management”).
- Look for the option to manage or add DNS records. This is where you can edit your SPF record.
For Domain.com users, follow these steps:
- Select “Domains” on the left navigation tab.
- Find the domain you need to toggle and click on Settings. Once you do, you’ll find your center/main panel has changed.
- Scroll down and look for advanced tools. If you click on this a drop down should appear. You’ll see Advanced DNS Records on the right-hand side of that tab and the word “Manage”. Click on “Manage”
- A pop up will appear, telling you that this setting is for advanced users, simply click continue. This will take you to your DNS Management platfrom.
STEP 3: Check for existing SPF records and update, if necessary
Inside your DNS management platform, look for an existing TXT record in your DNS settings. Locate the record under the value column that includes v=spf1—that’s the SPF record. If an SPF record already exists, update it by editing the TXT record instead of adding a new one.
To add an SPF record, click on the ellipsis (three vertical dots) on the far right. From there, select the option to add a new record.
STEP 4: Create the SPF record
If there are none, click on add record. A pop up will appear telling you to add an advanced record. Select “TXT” for you type and fill in the rest. When completed, click on “Add”.
STEP 5: Optimize for email deliverability
When setting up your SPF record, a few common errors can cause issues with email delivery. Let’s look at some of the most frequent mistakes to avoid.
Limit DNS lookups
Each mechanism in your SPF record, like include, mx, a, or ptr, triggers a DNS lookup to verify authorized senders. These lookups count towards the 10 allowed by SPF standards. For example, multiple include mechanisms each count as a single lookup.
To avoid exceeding the limit, use SPF validation tools or check your DNS records to monitor how many lookups are being made. If your record exceeds the limit, SPF failures can occur, causing your emails to be rejected or flagged as suspicious.
Double check your SPF syntax
Syntax errors (like missing spaces, typos, or incorrect qualifiers) can invalidate your SPF record and cause SPF checks to fail.
Verify deliverability
After updating your SPF record, make sure your emails are being delivered correctly. Failing to do this can cause deliverability issues and harm your sender’s reputation.
Align your SPF record with other DNS records
When using SPF, DKIM, and DMARC, conflicts can arise if the records are misaligned or overlapping. Here are common issues to watch for:
- Inconsistent Policies. SPF and DMARC records should match. If SPF allows certain senders, but DMARC rejects them, it can cause email delivery issues.
- Overlapping Mechanisms. Conflicting mechanisms in SPF and DKIM can cause emails to fail authentication.
Ensure all records (SPF, DKIM, DMARC) align to avoid conflicts and ensure smooth email delivery.
Updating your SPF record regularly
It’s important to update your SPF record whenever you add new mail servers or third-party services. Regular updates will ensure your SPF record stays accurate and reduces the risk of email failures.
Adding email service providers to your SPF record
When you use a known email provider like Google Workspace or Office 365, you can simplify your SPF setup. Instead of updating IP addresses yourself, simply include their pre-configured SPF mechanism. This makes sure their mail servers are automatically trusted to send emails on your behalf.
Here’s how your SPF record might look:
v=spf1 include:(insert here) ~all
Replace (insert here) with one of the following:
- Google Workspace (G Suite): include:_spf.google.com
- Office 365: include:spf.protection.outlook.com
- Other Providers: Check your provider’s documentation for the right SPF mechanism.
SPF record with both IPv4 and IPv6 entries
If you’re using both IPv4 and IPv6 addresses for email, you can include both in your SPF record. The ip4 mechanism covers IPv4 addresses, while the ip6 mechanism handles IPv6. This ensures that emails sent from either address type are validated.
Example:
v=spf1 ip4:192.168.0.1 ip6:2001:db8::1 ~all
SPF record with a custom mail server and an MX record
If you’re using a custom mail server, you can authorize it by including the mx mechanism in your SPF record. The mx mechanism matches the IP addresses of mail servers listed in your domain’s MX records.
Example:
v=spf1 mx ip4:203.0.113.1 ~all
Boost your email security today!
Setting up your SPF record is one of the most important steps to protect your domain and improve email deliverability. By getting SPF right, you can help ensure your emails reach their destination and aren’t marked as spam.
Don’t wait—take control of your email security today. Need help? Our specialists are here to guide you through the SPF setup and make sure everything runs smoothly. Get started with our email services now and let us handle the technicalities while you focus on what matters most—growing your business.