Sender Policy Framework (SPF) is an email authentication system designed to prevent email spoofing, which works by allowing domain owners to specify which mail servers are authorized to send emails on behalf of their domain. Without SPF, anyone could potentially send emails claiming to be from your domain: SPF helps email servers verify whether an email is coming from a legitimate source, improving deliverability and preventing abuse.
Why SPF Matters
SPF reduces the risk of your emails being marked as spam or rejected by recipient mail servers. Without proper email authentication, recipients might not trust your messages, causing them to land in spam folders. Cleaning your email lists and setting up SPF are both necessary steps to improve the chances of your emails being delivered successfully.
How SPF Works
An SPF record is added as a TXT record in your domain's DNS settings: it lists which IP addresses or hostnames are allowed to send emails using your domain. When an email is sent, the recipient’s email server checks the SPF record to verify that the email is from an authorized source and, if the email comes from an unauthorized server, it may be rejected or marked as spam.
Key Elements of an SPF Record
The basic structure of an SPF record looks like this:
v=spf1 [mechanisms] [modifiers] [all]
v=spf1: Indicates that it’s an SPF version 1 record; every SPF record must begin with this string.- [mechanisms]: Specify who is allowed to send emails for the domain (e.g., ip4, ip6, include) - see below.
- [modifiers]: Optional settings that control the behavior of the SPF record - see below.
- [all]: Defines how to handle emails from unauthorized sources - see below.
Mechanisms in SPF Records
ip4:<ip or range>: Authorizes an IPv4 address or range. Example: ip4:1.2.3.4 or ip4:1.2.3.0/24.ip6:<ip or range>: Authorizes an IPv6 address or range. Example: ip6:2001:123::1.a: Authorizes the A record of the domain.mx: Authorizes mail servers listed in the domain’s MX records.include:<domain>: Authorizes another domain’s SPF record to be included. Example: include:europeangoldfinch.net.exists:<domain query>: Performs a DNS query to check if the specified domain exists; the domain query is expanded using placeholders defined in the SPF specification (advanced topic).ptr: Matches the reverse DNS records (discouraged due to performance issues).
Modifiers in SPF Records
redirect=<domain>: Redirects SPF verification to another domain’s record.exp=<domain query>: Specifies an explanation in case of SPF failure through a DNS TXT record (advanced topic).
The "all" Mechanism
-all (Fail): Rejects all emails from unauthorized sources.~all (Soft Fail): Accepts but flags emails from unauthorized sources as suspicious.?all (Neutral): No policy on unauthorized emails; they may pass or fail.+all (Pass): Accepts emails from any server (rarely used as it defeats the purpose of SPF).
SPF Record Examples
Here are some sample SPF records for common configurations:
Example 1: Simple IP Authorization
This SPF record authorizes a specific IPv4 address and blocks all other servers:
v=spf1 ip4:1.2.3.4 -all
Example 2: Multiple IPs and a Third-Party Service
This SPF record allows emails from a specific IPv4 range and includes Google’s SPF record for emails sent via Google Workspace:
v=spf1 ip4:1.2.3.0/24 include:_spf.google.com -all
Example 3: Using MX and A Records
In this record, any mail server listed in the domain’s MX records is authorized, along with the A record of the domain’s website:
v=spf1 mx a -all
Example 4: Soft Fail for Testing
This SPF record allows emails from an IPv6 address but uses ~all to soft fail emails from other sources, marking them as suspicious but not rejecting them outright:
v=spf1 ip6:2001:123::1 ~all
Example 5: Redirect to Another SPF Record
This record redirects SPF verification to another domain’s SPF record:
v=spf1 redirect=europeangoldfinch.net
How to Set Up SPF for Your Domain
1. Identify Your Email Sources
Make a list of all the servers, services, and third-party platforms that send emails using your domain. This might include:
- Your primary email server.
- Marketing platforms (e.g., Mailchimp, SendGrid).
- External services (e.g., Google Workspace, Microsoft 365).
2. Access Your DNS Settings
Log into your domain registrar or hosting provider and navigate to your domain's DNS management area.
3. Add a New SPF Record
Create a new TXT record with the following details:
- Name: Enter
@ (or leave it blank for the root domain).
- Type: Select
TXT.
- Value: Enter your SPF record, for instance:
v=spf1 ip4:1.2.3.0/24 include:_spf.google.com -all
4. Save the Record
Save your changes. DNS updates may take up to 48 hours to propagate, though most will be updated within a few hours.
Common SPF Mistakes to Avoid
- Exceeding DNS Lookup Limit: SPF allows a maximum of 10 DNS lookups. If your SPF record includes too many external services, it could fail. Use include carefully.
- Not Updating SPF: If you add or remove services that send email on behalf of your domain, remember to update your SPF record to reflect those changes.
- Incorrect IPs or Syntax: Ensure all IP addresses, domain names, and record syntax are accurate to avoid failed SPF checks.
When in doubt, refer to the SPF technical specification (RFC 7208).
SPF and Email Deliverability
SPF is a critical factor in ensuring your emails are delivered. Combined with DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance), SPF helps establish email authenticity. Additionally, keeping your email list clean by removing invalid addresses further improves deliverability.