What Is an SPF Record & How to Set It Up

Suryanarayan Pal
BySuryanarayan Pal

9 mins read

When you unlock your phone, the PIN or fingerprint authenticates your identity and communicates that you are the rightful device owner.

Similarly, when you send an email, the receiving email server checks if the received email is being sent from the proclaimed sender server.

But how do they authenticate the identity of the sender? This verification process is where the Sender Policy Framework (SPF) steps in. It filters out spammers from spamming, spoofing, and phishing email users. Beyond security, SPF also plays a pivotal role in authenticating emails, which not only optimizes delivery rates but also improves open and click-through rates.

So let's look into how the Sender Policy Framework (SPF) can help achieve that, its benefits and limitations.

What is an SPF record?

SPF, or Sender Policy Framework, is an email authentication method designed to specify which email servers are authorized to send emails on behalf of your domain.

It helps detect and prevent email spoofing and phishing attempts by verifying that incoming emails from your domain originate from legitimate sender servers. Email servers that receive messages from your domain use SPF records to confirm the authenticity of the sender's identity and prevent emails from compromised or unauthorized sources.

Use SPF record checker tool to ensure email domain's SPF record is correctly configured for email authentication. It validates syntax, checks compliance with specifications, tests email delivery, and identifies issues like exceeding DNS lookup limits.

SPF record checker tool

Spammers started sending emails from relay servers, which caused the spam filters to detect whitelisted IPs and accept the emails.

To counter this, the anti-spam bodies conceptualized the SPF check.

How does SPF work?

Spf working SPF operates through a multi-step process to authenticate the origin of emails sent on behalf of a domain. Here’s how SPF works to secure your domain.

1. SPF record publication

Domain administrators publish an SPF record in their Domain Name System (DNS) records. This record specifies authorized email servers allowed to send emails on behalf of that domain.

This is what an SPF record would look like:

myntra.com IN TXT

v=spf1 include:_spf.google.com include:_spf1.myntra.com include:_spf-sfdc.successfactors.com include:amazonses.com include:spf.falconide.com include:mail.zendesk.com ip4:199.255.192.22 ip4:15.224.192.102/32 ip4:219.65.87.215 -all

You can include different ranges of IPs by using the 'include:' field in the record.

2. Receiving server verification

When an email is sent, the receiving email server checks the SPF record of the sender's domain. It retrieves the SPF record by querying the DNS servers of the sender's domain(the domain in the "from" address).

3. SPF record evaluation

The receiving server evaluates the IP address of the sending email server against the list of IP addresses authorized by the SPF record. If the sending server's IP address matches one of the authorized IP addresses or ranges, the email passes the SPF check.

The receiving email server evaluates the SPF record mechanisms, which can include:

  1. ip4 or ip6: Specifies authorized IP addresses for sending emails.

  2. a or mx: Permits the domain's A record (host address) or MX record (mail exchange server) to send emails.

  3. include: Includes another domain's SPF record for authorization.

  4. ~all: Soft fail - Permitted sender, but treated with suspicion by some servers.

  5. -all: Hard fail - Sender not authorized.

4. Authentication outcome

The SPF check will result in a pass or fail. If the sending server's IP address is listed in the SPF record of the sender's domain, the SPF check passes, indicating the email is likely legitimate. However, if the SPF check fails i.e. the IP address is not authorized, the email may be marked as suspicious or rejected by the receiving server.

5. Email delivery decision

Upon passing the SPF check, the receiving server proceeds with normal email delivery procedures. Conversely, if the SPF check fails, the receiving server may divert the email to the recipient's spam or junk folder or outright reject the email to mitigate potential security risks.

It is important to note that SPF complements other email authentication methods like DKIM and DMARC to enhance email security and prevent phishing attacks.

SPF record syntax

Check out the table that explains the syntax of valid SPF records:

Mechanism Description Example
v Version of SPF used, always v=spf1 v=spf1
ip4 Specifies an IPv4 address or range allowed to send mail for the domain ip4:192.0.2.0/24
ip6 Specifies an IPv6 address or range allowed to send mail for the domain ip6:2001:db8::/32
a Permits the domain’s A or AAAA record to send mail a
mx Permits the domain’s MX record to send mail mx
ptr Permits the domain whose name is the PTR record to send mail (discouraged due to performance) ptr
include Includes the SPF record of another domain include:example.com
all Matches any address, usually used at the end of the record all

Qualifiers

Qualifiers in SPF records indicate how a receiving email server should interpret the results of SPF mechanisms. They provide guidance on whether to pass, fail, treat with suspicion, or consider neutral any SPF checks performed. These qualifiers include:

Qualifier Description Example
+ Pass, the mechanism matches +ip4:192.0.2.0/24 (implicit)
- Fail, the mechanism matches (hard fail) -all
~ Soft fail, the mechanism matches (usually treated as suspicious) ~all
? Neutral, no policy or the mechanism matches (treated as non-authoritative) ?all

How to add SPF record

Now, let's walk through the steps to add an SPF record to your domain.

1. Get required information

Before you begin, ensure you have the necessary information, including:

  • The domain you are adding the SPF record to.

  • Your domain provider’s documentation or support information on adding DNS TXT records.

2. Sign in to the domain provider

Log in to your domain provider's management console and access the console where you manage your domain's DNS records.

3. Locate the DNS management page

Navigate to DNS settings and find the page where you can update DNS TXT records. This might be labelled as "DNS Management," "DNS Configuration," or something similar.

4. Add the SPF record

Add a New TXT Record:

  • Type: Select or enter TXT as the record type.
  • Host: Enter @ for the root domain or the subdomain if applicable.
  • Value: Enter the appropriate SPF record value. For Google Workspace, it is:

Example: v=spf1 include:_spf.google.com ~all

  • If you have other email senders, you may need to modify this value accordingly.
  • TTL: Set this to 1 hour or 3600 seconds. If your domain provider does not allow you to change the TTL, use the default value.

5. Save the changes

Confirm and save the new SPF record. The changes may take up to 48 hours to propagate and start working.

6. Verify the record

Use an SPF record lookup tool to ensure the record has been added correctly.

SPF, DKIM, and DMARC are the best practices to authenticate your mail server and enhance email security. These spam protection methods are becoming more popular and might become a compulsory measure against junk emails someday. Not only that, but verifying your account with these methods will make you a legitimate sender in the eyes of the receiving server.

DKIM

DKIM ​​ensures messages are not modified while travelling between the recipient and sending servers. SPF validates the sending server's legitimacy based on IP addresses, while DKIM verifies the integrity and authenticity of each individual message. Together, they offer robust protection against email spoofing and ensure that messages are trustworthy and unaltered.

DMARC

DMARC builds upon SPF and DKIM by providing a policy framework for email authentication and enforcement. It enables domain owners to set policies specifying how receiving mail servers should handle emails that fail SPF or DKIM checks. DMARC also includes reporting mechanisms that offer insights into email authentication results, helping domain owners monitor and protect their email domains from abuse. SPF,DMARC and DKIM.png

How does SPF help in expanding your reach?

Spammers will try to send unwanted emails whenever they can take control of your domain. This will harm your credibility and damage your deliverability. You should make it a priority if you have not authenticated your domain. This is how SPF helps ensure that your deliverability is high:

  1. Informs recipients of third-party

An SPF record will ensure that the end-user is intimated if spammers use a relay.

  1. Easy entry to inboxes

When email receivers establish trust in your brand due to the use of SPF, your future emails will find a secure entry in their inboxes.

  1. Mandatory for some recipients

Some email recipients strictly require the emails to have an SPF record. If it’s not present, the email automatically gets marked as spam. This might result in email bouncing.

  1. Increases sender score

Sender Score is a score of every outgoing mail server using conventional email metrics such as unsubscribes and spam files. SPF helps increase your sender score and, in turn, helps email deliverability.

SPF does look like a one-stop solution for preventing email spoofing, spamming, and phishing, but you do want to look at some of its limitations.

Limitations of SPF

There are a few constraints of the SPF system. They are as follows:

  1. Doesn't work on forwarded emails

Forwarded emails usually fail the sender policy framework test as they do not contain the original senders' information and appear to be spam messages.

  1. Not regularly updated

Many domain administrators might not be able to update their SPF records regularly.

  1. Have to update despite server change

Using third parties as email providers, the domain must update the SPF record even when the service provider changes its servers, which is extra work.

SPF for AMP email approval from email clients

If you want to reap the benefits of sending out interactive AMP emails, you will have to get whitelisted with Yahoo Mail, Gmail, and Mail.ru, which support AMP emails. For a whitelisting of your sender address, these email clients need SPF before approving your email address.

Conclusion

SPF protects the envelope sender and stops spammers from abusing mail systems to trick innocent users. Unfortunately, 1 in 6 emails gets sent to the spam or blocked from your subscribers' inbox altogether, leading to only 83% conversion.

Mailmodo will help you with 17%. Our email experts will help you get your security certifications done and improve your deliverability to yield the best results.

FAQs

SPF, DKIM, and DMARC each serve different purposes in email authentication. While DKIM verifies the integrity of the message content in email headers and DMARC provides policy enforcement, SPF specifically checks if the sending mail server is authorized by the domain's administrators. Implementing all three strengthens your primary domain's security posture against spoofing and phishing attacks.

While SPF is effective against sender address spoofing (where the "From" address is forged), it does not protect against other forms of phishing or social engineering attacks. It's essential to complement SPF authentication with other security measures like DMARC and user education to mitigate the risks of email fraud comprehensively.

Yes, if you change your email service provider or modify your email infrastructure (e.g., switch to a different outgoing mail server), you must update your SPF record accordingly. Failure to update can result in email delivery failures or being marked as spam by recipients' servers.

Changes to DNS records, including SPF records, can take up to 48 hours to propagate globally. This means it may take up to two days for your SPF record to be fully recognized by all email receivers.

Maintaining a good sender reputation involves several practices beyond just SPF policy. These include avoiding spammy content, using permission-based email marketing, and keeping your unsubscribe rates low. A good sender reputation improves email deliverability and increases the chances of your emails landing in inboxes.

What should you do next?

You made it till the end! Here's what you can do next to grow your business:

2_1_27027d2b7d
Get smarter with email resources

Free guides, ebooks, and other resources to master email marketing.

1_2_69505430ad
Do interactive email marketing with Mailmodo

Send forms, carts, calendars, games and more within your emails to boost ROI.

3_1_3e1f82b05a
Consult an email expert

30-min free email consultation with an expert to fix your email marketing.

Table of contents

chevron-down
What is an SPF record?
How does SPF work?
SPF record syntax
How to add SPF record
How is SPF related to DKIM and DMARC?
How does SPF help in expanding your reach?
Limitations of SPF
SPF for AMP email approval from email clients
Conclusion

Fresh Marketing Ideas, Every Week.

Get the latest marketing roundup & news

Get 3X email conversion
with Mailmodo

Check.svg

Create & send interactive emails without coding

Check.svg

Put revenue on auto-pilot with pre-built journeys

Check.svg

Save time with AI-powered email content creation

Experience world’s only interactive email marketing platform

Trusted by 10000+ brands

Group_1110166020_1_6fb9f2bd9a
Group_1110165532_1_bf39ce18b3
Ellipse_Gradientbottom_Bg
Ellipse_GradientLeft_Top
gradient_Right