What is an SPF Record? Secure Your Email Sender Identity

The SPF (Sender Policy Framework) record identifies which mail servers are permitted to send e-mail on behalf of your domain. It has a key role in preventing spammers from spoofing your domain. To enable SPF, you need to add an SPF record for your domain name. It is a DNS record from the TXT DNS type and it holds the necessary information that allows verifying which e-mail servers are truly authorized to send messages from the name of your domain name.

Once the SPF record provides that information, the e-mail server can be verified, validated, or not.

Using the SPF record, specifically its qualifiers and mechanisms, you can specify rules, as strict as you decide, to verify.

The SPF record has the following look in your ClouDNS Control Panel:

Hostname: Type: Points to: TTL
hostname.com SPF v=spf1 include:_spf.google.com ~all* 1 Hour

* The example is used for customers, who use Gmail as a mail service.

Note that this record is deprecated and it is recommended to create only TXT Record or to be duplicated with TXT Record.

Why do you need an SPF record?

With SPF record you protect your domain reputation in front of all other email services and other receiving email servers so to say. In simple words, you prove which senders are truly authorized to send email from your domain. Some email recipients have a strict requirement for SPF, and if you don't have such a DNS record, your email message will be marked as spam, or even worse, the email will bounce. Holding a correctly set up SPF record improves your email deliverability and protects your domain from misusage by unauthorized senders.

How to create an SPF record?

Go to your Control Panel and click on Add new record. Enter the details as follows:

Type: SPF
TTL: 1 Hour
Host: hostname.com
Points to: v=spf1 include:_spf.google.com ~all

You can also easily create it by using our Free SPF generator!

How to add an SPF record - Step by Step video:

SPF mechanisms

You can use these mechanisms to define which IP addresses are allowed to send mail from the domain:

  • a
  • mx
  • ip4
  • ip6
  • exists

A mail server will compare the IP address of the sender with the IP addresses defined in the mechanisms and if the IP address matches one of the mechanisms in the SPF record then follow the result handling rule. The default handling rule that is used is + or pass.

Using the include mechanism will allow you to authorize hosts outside of your administration by specifying their SPF records.

If you use all as a mechanism this will match any address. Usually, this mechanism is used at the last position and defines how to handle any sender IP that did not match the previous mechanisms.

All of the mechanisms that may specify qualifiers for how to handle a match:

  • + for pass
  • - for fail
  • ~ for soft fail
  • ? for neutral

How to check my SPF record?

You can manually check the Sender Policy Framework (SPF) record for a domain by using one of the following commands:

If you are a Linux/macOS user, you can open the Terminal and check your SPF record via DIG. Here is an example:

$ dig TXT a space, and then the domain/host name - example "dig TXT cloudns.net"

If you are using Windows you can open the Command Prompt and check the record using Nslookup. A sample is shown below:

$ nslookup -type=txt a space, and then the domain/host name - example "nslookup -type=txt cloudns.net"

You can also check if you have configured your SPF record correctly by using the ClouDNS Free DNS tool.

SPF record limitations

You may have at maximum one SPF record, defined as a TXT record or as an SPF record type for each fully-qualified name.

You can have various limitations on the number of items and lookups permitted in an SPF record:

  • The ptr mechanism is also included in the overall limit and must not result in querying more than 10 address records.
  • When evaluating the mx mechanism, the number of MX records queried is included in the overall limit of DNS lookups. This means that each mx mechanism must not result in querying more than 10 address records.
  • The mechanisms that you can use are include, a, mx, ptr, and exists and you can not have more than 10 mechanisms that require DNS lookups.

How to start managing SPF records for your domain name?

  1. Open free trial account from here - free forever
  2. Verify your e-mail address
  3. Log into your control panel
  4. Create new Master DNS from the [add new] button - read more here
  5. Add the SPF record(s) you need as it is described in this article

Support of SPF records

ClouDNS provides full support for SPF records for all our DNS services, including the listed below. Just write to our technical support, if you need any assistance with your SPF records configuration. Our Technical Support team is online for you 24/7 via live chat and tickets.

Benefits of using SPF record

In case you are still wondering if you should set an SPF record to your domain, we are going to explain the main benefits of having it. They are the following: 

  • Improved Email Deliverability Rate: An SPF record with proper configuration boosts your domain's reputation and trustworthiness and improves your email deliverability.
  • Prevents Spoofing Attacks: It helps prevent email spoofing and fights domain impersonation by verifying the IP address of the sender compared to the domain owner. 
  • DMARC Compliance: The SPF record is essential for DMARC compliance. DMARC is an email validation method that serves to guarantee that emails are sent only by authorized users. It dictates how should the receiving server handle a failed authentication message. Depending on the DMARC policy instructions, those emails are marked as spam, rejected, or delivered as usual.

Adding such a record helps you stay safe from different malicious attempts, and it is highly recommended.

Best practices for SPF record

Follow these best practices to ensure your SPF record effectively prevents email spoofing and improves email deliverability.

  • Trusted IPs and Domains: Include only trusted domains that send mail on your behalf and list all authorized IP addresses.
  • Use Mechanisms Appropriately: Limit the use of "all", "a", "mx", "ip4", and "ip6" mechanisms to only those necessary. Avoid using overly broad mechanisms.
  • Limit the Number of DNS Lookups: Keep the number of DNS lookups under 10 to avoid potential SPF validation failures.
  • Regularly Update the Record: Review and update your SPF record when your email sending sources change.
  • Test Your SPF Record: Use tools to validate your SPF record to ensure it is correctly formatted and functions as expected.
  • Combine with DKIM and DMARC: Use SPF in conjunction with DKIM and DMARC for comprehensive email authentication.

FAQ

Question: Based on the latest criteria, the SPF record is deprecated. How could I publish my SPF then?

Answer: Good question. Yes, that's right, the SPF record is deprecated. For that reason, you need to publish your SPF by adding a TXT record with the same SPF values.

Question: I have a couple of SPF records in my zone, but all SPF checks fail. What is wrong?

Answer: SPF standards don't allow having multiple SPF records in your DNS zone. Only a single SPF record must reside in your DNS zone.

Question: How often should SFP records be updated?

Answer: SFP records should be updated whenever there are changes to the mail infrastructure, such as adding or removing mail servers.

Question: Can SFP prevent all types of email-related issues?

A: No, SFP primarily addresses email spoofing. Other issues, such as phishing or malware in emails, require additional security measures and user awareness.


Last modified: 2024-09-24
Cookies help us deliver our services. By using our services, you agree to our use of cookies. Learn more