What is SPF Record?

The SPF(Sender Policy Framework) record identifies which mail servers are permitted to send e-mail on behalf of your domain. It has a key role in preventing spammers from spoofing your domain. To enable SPF, you need to add an SPF record for your domain name. It is a DNS record from the TXT DNS type and it holds the necessary information that allows verifying which e-mail servers are truly authorized to send messages from the name of your domain name.

Once the SPF record provides that information, the e-mail server can be verified, validated, or not.

Using the SPF record, specifically its qualifiers and mechanisms, you can specify rules, as strict as you decide, to verify.

The SPF record has the following look in your ClouDNS Control Panel:

Hostname: Type: Points to: TTL
hostname.com SPF v=spf1 include:_spf.google.com ~all* 1 Hour

* The example is used for customers, who use Gmail as a mail service.

Note that this record is deprecated and it is recommended to create only TXT Record or to be duplicated with TXT Record.

Why do you need an SPF record?

With SPF record you protect your domain reputation in front of all other email services and other receiving email servers so to say. In simple words, you prove which senders are truly authorized to send email from your domain.

How to create an SPF record?

Go to your Control Panel and click on Add new record. Enter the details as follows:

Type: SPF
TTL: 1 Hour
Host: hostname.com
Points to: v=spf1 include:_spf.google.com ~all

How to add an SPF record - Step by Step video:

SPF mechanisms

You can use these mechanisms to define which IP addresses are allowed to send mail from the domain:

  • a
  • mx
  • ip4
  • ip6
  • exists

A mail server will compare the IP address of the sender with the IP addresses defined in the mechanisms and if the IP address matches one of the mechanisms in the SPF record then follow the result handling rule. The default handling rule that is used is + or pass.

Using the include mechanism will allow you to authorize hosts outside of your administration by specifying their SPF records.

If you use all as a mechanism this will match any address. Usually, this mechanism is used at the last position and defines how to handle any sender IP that did not match the previous mechanisms.

All of the mechanisms that may specify qualifiers for how to handle a match:

  • + for pass
  • - for fail
  • ~ for soft fail
  • ? for neutral

How to check my SPF record?

You can manually check the Sender Policy Framework (SPF) record for a domain by using one of the following commands:

$ dig TXT a space, and then the domain/host name - example "dig TXT cloudns.net"

You can check the record using nslookup as well. A sample is shown below:

$ nslookup -type=txt a space, and then the domain/host name - example "nslookup -type=txt cloudns.net"

You can also check if you have configured your SPF record correctly by using an online SPF record validator.

SPF record limitations

You may have at maximum one SPF record, defined as a TXT record or as an SPF record type for each fully-qualified name.

You can have various limitations on the number of items and lookups permitted in an SPF record:

  • The ptr mechanism is also included in the overall limit and must not result in querying more than 10 address records.
  • When evaluating the mx mechanism, the number of MX records queried is included in the overall limit of DNS lookups. This means that each mx mechanism must not result in querying more than 10 address records.
  • The mechanisms that you can use are include, a, mx, ptr, and exists and you can not have more than 10 mechanisms that require DNS lookups.

How to start managing SPF records for your domain name?

  1. Open free trial account from here - free forever
  2. Verify your e-mail address
  3. Log into your control panel
  4. Create new Master DNS from the [add new] button - read more here
  5. Add the SPF record(s) you need as it is described in this article

Support of SPF records

ClouDNS provides full support for SPF records for all our DNS services, including the listed below. Just write to our technical support, if you need any assistance with your SPF records configuration. Our Technical Support team is online for you 24/7 via live chat and tickets.

FAQ

Question: Based on the latest criteria, the SPF record is deprecated. How could I publish my SPF then?

Answer: Good question. Yes, that's right, the SPF record is deprecated. For that reason, you need to publish your SPF by adding a TXT record with the same SPF values.

Question: I have a couple of SPF records in my zone, but all SPF checks fail. What is wrong?

Answer: SPF standards don't allow having multiple SPF records in your DNS zone. Only a single SPF record must reside in your DNS zone.


Last modified: 2022-04-06
Cookies help us deliver our services. By using our services, you agree to our use of cookies. Learn more