SPF Record Explained – Dizone Protection

Today, an SPF record is an essential DNS record for reliable email delivery. This is a type of email authentication to protect your email from being forged. It protects your reputation from phishers and spoofers. Find out more about the sender policy framework to increase the credibility of your product.

What is an SPF record?

One of the DNS resource records is TXT. It is mostly used to represent facts about the domain and provide information to external sources. This email is required for authentication. For example, an email comes from a server to your Internet Service Provider (ISP). The ISP can authenticate the email using a dedicated TXT type of record, SPF record, This record contains data about trusted servers authorized by your domain, therefore, your ISP can identify the source from which an email is coming and detect a fake email. SPF or Sender Policy Framework is a primary (but not the only) way to authenticate your email.

Email Authentication Standards – What Are They For?

SMTP cannot protect your app from frauds such as email spoofing, phishing and spam. It lacks the facility to identify the origin of the email message and validate its domain. Instead, email authentication may work.

There are three widely adopted standards for authenticating email: SPF, DKIM, and DMARC. In short, each of them performs the following functions:

  • SPF checks that the IP address the email comes from is authorized.
  • DKIM checks that the message was not changed in transit by using the keys for signature-verification.
  • DMARC engages both the approaches at once.

SPF, DKIM and DMARC differ in technical implementation, but they are all based on DNS records. You may also encounter other authentication methods like ADSP, Sender ID, iprev, etc. Some of them are either unclaimed or have been deprecated.

Sender Policy Framework or SPF

The Sender Policy Framework officially came out as an experimental standard in 2006. Eight years later, SPF was approved as a proposed email authentication standard.

In plain English, SPF is a protocol according to which mail servers decide whether to receive or reject incoming email. The decision is made using the SPF information in the TXT record for a list of authorized IP addresses within a particular domain. If the email is sent from one of these addresses, it is not counterfeit and can be allowed in.

When You Need SPF

If your digital product sends transactional or even commercial messages, be sure to implement a sender policy framework. It is currently required by Internet Service Providers. If you don’t have a valid SPF record, or it’s incorrect, your ISP may be running secondary email filtering. Failed SPF authentication means that your email will be detected as spam or even blocked.

SPF scares spammers and phishers by filtering out fake emails. It keeps the reputation of your product spotless. But, to complete the picture, it is better to implement full scale email authentication (SPF + DKIM + DMARC).

Cons of SPF Email Authentication

  • Difficult to keep SPF records up-to-date if you change ISPs or add mail streams
  • SPF alone does not guarantee that your message will pass authentication
  • SPF records break plain message forwarding

Common SPF Misconceptions

SPF is an essential remedy but it is not a silver bullet against spoofing. Make sure you are aware of the following misconceptions so that you can use the framework properly.

  • Full domain protection from spoofing

SPF works with the address (return pass) from the envelope of the email. It is invisible to the user, unlike the Header-From Address, which refers to the message content. Therefore, an SPF record cannot protect the visible address of the sender.

  • With SPF, you get direct protection from spam

The framework takes advantage of spam filtering systems to check emails. Also, it protects against fake messages from a specific domain. However, it doesn’t provide significant improvements in terms of fighting spam.

  • SPF authorizes the sender of the email

Actually, the mail server sending the message is being authorized according to the SPF record. So, the framework works at the domain level.

  • One SPF record for each authorized domain

Keep in mind that you can only have one SPF record. Otherwise, you will get ‘permerror’ – an error indicating that the retrieved SPF policy record cannot be interpreted.

  • Email authentication only with DKIM is sufficient

Even if you have all messages authorized according to DKIM, you will still need an SPF record to identify the domain. In addition, cloud services and IPv6 networks require a sender policy framework. Therefore, the best way to combat spoofing and secure your email is to implement SPF, DKIM and DMARC.

How does SPF work?

In general, SPF in action consists of the following steps:

  • Creating an SPF record. It establishes an authentication policy and defines the authorized mail servers to send emails from a particular domain.
  • DNS lookup. Verifying the incoming message in DNS. The domain name should be listed as an “from envelope” address. Then, the inbound server checks whether the IP address that sent the email is authorized in the SPF record. If any of the checks fail then Mail SPF authentication fails.
  • certification result. The mail server either sends, flags or rejects the message based on the rules specified in the SPF record.

For example, a server with the IP address ‘234.213.42.2’ sent an email from ”. During the SPF check, the inbound server will request the ‘apple.com’ domain if this IP address is authorized to send email. If yes – welcome, if no – the message will be serialized according to the mechanism specified in the SPF record.

SPF Record Syntax

First, let’s anatomize a simple SPF record example.

“v=spf1 +a +mx redirect=example.com -all”

v = spf1 The current record has a version number, and the rest are mechanisms, qualifications, and modifiers to specify the various rules for SPF checks. Here’s what you can set in your SPF record.

Follow the link to find out the Qualifiers comparison table.

what you should keep in mind

  • An SPF record string cannot exceed 255 characters. Use multiple records if necessary.
  • Some DNS providers may not require quotations to attach record data. Check it out beforehand.
  • Subdomain records must be named sequentially (best for best.example.com)
  • To avoid undue load on DNS, the total number of mechanisms, including modifiers, should be limited to 10.

Let us now put this knowledge into practice.

Create an SPF record for your domain

Step 1 – Preparation

  • Collect all mail servers and IP addresses that will be specified as authorized in the SPF record

Step 2 – DNS Control Panel

  • Access your ISP’s DNS Control Panel and find the TXT type of record section.

Step 3 – SPF Record

  • Start with the version tag: v=spf1, next version will be v=spf2, v=spf3e.t.c.

  • Enter all the IP addresses you’ve collected to specify as authorized:
    ip4:35.167.41.421 ip6:2a13:c025:e4:7a01:bc72:dcb5:7a13

  • Add the include tag to designate each third-party email service as a trusted sender:
    include:sendgrid.net either include:mandrillapp.com

  • Take advantage of other mechanisms, qualifiers or modifiers to establish an SPF record.

  • All Tags are generally used to finalize records.
    -all – Not all unspecified servers are authorized (emails will be rejected).
    ~all – Not all unspecified servers are authorized, but emails will be marked and accepted.
    +all – Any server is authorized (quite an undesirable option).

The most common SPF record looks like this:

"v=spf1 a mx -all"

Here, all A and MX records of this domain are authorized to send email. Emails beyond anything will be rejected.

SPF record for multiple domains

Let’s say you have a primary domain – alpha.net with a record like this v=spf1 a mx -all, And you need to create SPF records for multiple domains like beta.net and gamma.net?

The “include” mechanism allows you to designate other domains that are independent of your primary domain. For example, alpha.net can send mail using beta.net and gamma.net.

v=spf1 include:beta.net include:gamma.net -all

Additionally, you can point to your primary domain by adding include:alpha.net to your secondary domain’s SPF record:

v=spf1 include:primary-domain.com -all

This will apply the rules from the primary domain to the secondary domain.

Keep in mind that you cannot have more than one TXT record for SPF for a single domain.

Can I split a large SPF record?

What if your SPF record looks like this?

v=spf1 a mx a:mail.alpha.com a:first.alpha.net a:second.alpha.org mx:third.domain.net ip4:34.243.61.237 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e include:sendgrid.net include:mandrill.com -all

This matches the requirement of 255 characters per string, but is still too long. Therefore, you can split it into multiple records that will be included in the main SPF record. Here’s how it could go:

  • First, create separate records. Their names should be related to the current domain as follows:

spf1.alpha.com TXT

v=spf1 a mx a:mail.alpha.com a:first.alpha.net a:second.alpha.org mx:third.domain.net -all

spf2.alpha.com TXT

v=spf1 ip4:34.243.61.237 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e -all

spf3.alpha.com TXT

v=spf1 include:sendgrid.net include:mandrill.com -all

  • Now, you can change your starting SPF record like this:

alpha.com TXT

v=spf1 include:spf1.alpha.com include:spf2.alpha.com include:spf3.alpha.com -all

That’s it. After dns update all these records will be checked as one.

Verify Your SPF Record

The last thing we recommend you do is verify your SPF record. Fortunately, there are a bunch of actionable tools like SPF Record Check or SPF Syntax Validator. This will troubleshoot your records and prevent annoyances in the future.

How to create SPF record using My DNS Provider?

You can create and manage your SPF records using your DNS provider’s respective console or control panel. Some services provide detailed instructions or guides on how to create a TXT record. Below, you’ll find links to guides from some of the top-rated providers.

  • Amazon Route 53
  • Azure DNS
  • Cloudflare DNS
  • godaddy premium dns
  • google cloud dns

Plus, we’ve gathered a list of SPF specifications for popular email providers so that you can copy and paste them into your TXT record.

SPF troubleshooting: SPF record will not be valid

Here is a short list of common problems (and their basic solutions) that one may encounter when trying to validate an SPF record.

  • DNS lookup exceeded, Keep in mind that there are only 10 DNS queries. The most common problem here is using a lot of “include” nesting in the record. There are a few solutions to this problem, the most popular being to create a dedicated email stream subdomain. First, you can create a brand new SPF record for the subdomain. Second, when a validator performs an SPF check, it only sees domains that are extracted from RFC 5321 Mail From. This means that it looks directly in a child’s DNS record, not in the parent domain. If you need more methods for troubleshooting breaking the 10 DNS lookup limit, check out the detailed DMARCian guide.
  • Type 99 (SPF Type Record) Exclusions, This means that your SPF record is out of date. In 2014, the experimental phase of using DNS RR type records closed. Now the SPF record should be published as DNS TXT (Type 16) only. To resolve “Type 99” issues, make sure you are using a DNS record of type TXT for SPF authentication.
  • Multiple SPF Records, If you’re using a large email provider like Microsoft Exchange or Gmail, the issue with duplicate SPF records should be fixed automatically. Smaller email providers usually don’t offer such intelligent features, so chances are you’ll have to handle it all on your own. The best solution is to merge both your DNS TXT entries into a consolidated version. Find out more about how to tackle this problem in our SPF dos and don’ts.

Once you’ve set your SPF record, you can move on to the DKIM and DMARC protocols to set your email security and marketing campaigns apart from the rest.

Leave a Comment