Topics:

What is an SPF Record?

SPF means “Sender Policy Framework.” It is a list of IP addresses that are allowed to send emails for a specific domain. This helps servers weed out spam and phishing emails who try to disguise themselves as addresses from a reputable domain.

Spammers sometimes try to fake the sent from and reply addresses to make it look like the emails come from a reputable address. If you checked the header, however, you would see they actually originate from a spamming address. Spammers do this to misdirect complaints and avoid emails bouncing.

Creating an SPF record helps fend off these spammers who would use your domain as a cover to send spam or who try to send the spam to you. The SPF record will be checked by other servers and, when they discover spam disguised as your domain or you discover spam disguised as their’s, the server will reject it.

If you would like to use SPF on your domain to ensure it’s not used as a front for spam, check out our Adding an SPF Record to a Domain article. If this is your first time configuring an SPF record, please read the rest of the article to learn SPF record syntax or contact our support team for help. 

If you would like to have all incoming mail checked by SPF, visit our Blocking Junk Mail with SPF article.

The Details

An SPF record is a TXT record stored in the DNS zone file. A TXT record can contain free form or formatted text. However, an SPF record is written in a specific format.

An SPF entry will look like this:

v=spf1 ip4:10.20.20.0/24 ip4:10.10.10.21 -all


The version number tag, v=spf1, begins each SPF record. This particular version works best for our purposes since it allows the user to identify their mail server and enables receiving servers to check incoming mail against the valid mail server.

Mechanism

After the version tag comes the “mechanism.” The mechanism is what method you are using to identify the host(s). Here is a full list of mechanisms:

  • all
  • ip4
  • ip6
  • a
  • mx
  • ptr
  • exists
  • include

Note: To save time, we will not cover all of the mechanisms in this article.

The “all” Mechanism

The all mechanism always matches. It indicates that if the IP address of the incoming email does not match what the SPF record says it should match, then the email is invalid.

For example:

v=spf1 a:smtp.example.com -all

This line indicates that all emails from example.com are valid; all other emails will be rejected.

The all mechanism usually goes at the end of the SPF record to block everything that isn’t listed.

The “a” Mechanism

The a mechanism is one of the several mechanisms that dictate what IP addresses are allowed to send mail from the domain.

For example, if example.com has an a record that represents the IP address 1.2.3.4., adding a:example.com to the SPF record will identify mail from 1.2.3.4. as valid emails.

The “mx” Mechanism

The mx mechanism lists acceptable server IP addresses for the domain.

If an IP address matches the mx or a records, then the IP address will be deemed valid by the receiving server and go through.

If you wrote the following example, it would mean that two IP addresses could be deemed valid by the receiving servers, but all emails not matching those two addresses would be rejected:

v=spf1 mx a -all

mx stores one IP address for checking and a stores another. The -all then dictates that all emails that do not match mx or a are not valid emails.

Qualifiers

Qualifier (meaning)

  • + (Pass)
  • – (Fail)
  • ~ (Soft Fail)
  • ? (Neutral)

Mechanisms can be preceded with one of the four qualifiers. Usually, these are not used except for the final all mechanism, which often appears as -all to block any emails that do not meet the requirements dictated by the SPF record. By default, the + (pass) qualifier will be used.  

When a server checks the SPF record, it checks each entry in order. If no part results in a pass or fail, the result will be marked as neutral. Neutral simply means that no action will be taken on the email.

Note: If this is your first time creating an SPF record, we recommend you use the ~ (soft fail) qualifier with the all mechanism. Since the -all combination is absolute, the SPF record has to be set up correctly or you will lose the ability to forward messages from your email.

The SPF record would cause checking servers to see the forwarded email as an email originating outside your IP address, thus rejecting. A soft fail will allow those messages to go through.

The downside to using the soft fail is that spammers may sometimes get well-disguised spam through the spam detectors.

Once you are sure your SPF record is correctly configured, you can change ~all to -all.

 

SPF record syntax breakdown image
SPF record syntax breakdown