SPF, which sends for Sender Policy Framework, is a technique used to help prevent email spam and improve email deliverability. Picture it this way: you own a domain name for your business. Without setting up the appropriate authorizations, a third, unauthorized party could send malicious or spam emails to clients, which could lead to your website being blacklisted, as well as cause you a myriad of legal and financial issues.
SPF records are a type of DNS records that help prevent unauthorized persons from engaging in email spoofing, i.e. sending malicious content or spam, which originates from your domain. Let’s look at what SPF records are and how you can use them to secure the integrity of your website.
DNS records are located on the authoritative DNS servers where your domain’s IP address lives. Simply put, they are text files based on DNS syntax which contain instructions on how requests to your domain should be handled. These records range from containing the most basic, essential information – such as which IP address is associated with the domain – to non-essential, though largely useful information, such as who can send emails on behalf of your domain. Enter SPF records.
In DNS, an SPF record, or Sender Policy Framework record, is a TXT record that allows you to list the authorized hostnames and IP addresses that have permission to send emails under the auspice of your domain, i.e. on behalf of it. When you set up an SPF record, you specify the exact hosts which have the authority to send emails from your domain.
According to official clarifications, the problem is that forging emails online is quite possible – there are currently no existing protocols that restrict what a sender will enter in the “Mail from” section of an email. This would allow people with bad intent to misuse your domain as the originator of malicious or spam emails. An SPF record can allow you to restrict and specify the hosts which have permission to use your domain as a sender for emails.
There are two main purposes of SPF records: preventing email spam (or email spoofing) from your domain and improving email deliverability.
We’ve already covered how setting up SPF records in your DNS zone files can prevent spammers from using your domain as a sender for malicious emails. When you set up an SPF record, you decide which IP addresses/name hosts/email servers have the permission to send emails on your domain’s behalf. This will prevent your domain from being blacklisted as a spammer, and your website (or business) emails going straight to receivers’ spam folders due to it. This leads us to the second purpose of SPF records.
Did you know that some email recipients will bounce your email or mark it as spam if your domain doesn’t provide SPF? Setting up an SPF record in your zone file improves email deliverability because simply put, it increases the chances of your emails being delivered.
In other words, even if no one has used your domain for email spoofing, your emails may end up in spam folders or get bounced back. This is a precautionary measure on the part of email recipients and email services to prevent spam and malicious content. Once you set up an SPF record – i.e. a list of computers with authorization to send emails from your domain – your emails are much less likely to get rejected or sent directly to the spam folder.
Emails contain two sender addresses: “header from” (visible to clients) and “envelope from” (visible to email servers). As we already mentioned, restrictions are lacking which would prevent someone from forging these addresses, so other mechanisms (SPF) work to get the job done.
So, while the “envelope from” address is almost never seen by users, it is the address that gets checked by email servers whenever an email reaches one of their mailboxes. Here’s an overview of the process:
So this is what happens when an SPF record exists and is properly configured. If you don’t set up an SPF, or your SPF is misconfigured, your email may end up suffering the same fate as a non-SPF-authorized sender. This is because mail servers generally function on a better safe than sorry principle, and reject all mail that fails the SPF authentication process. So even if all your other DNS records and authentication protocols are in order, failing to create SPF records or incorrectly configuring SPF records can prevent your emails from getting delivered.
Creating an SPF record is fairly easy, and as it’s a TXT file, you only need a text editor to be able to write it out. Most of the work is preparation, really, like figuring out which IP addresses would have the authorization to send emails on behalf of your domain.
Before we show you how to create an SPF record, it’s a good idea to first make sure you don’t already have one. You can do this with a simple NSLOOKUP tool, like Kloth.net or Network Tools. You just type in your domain’s URL and look over the TXT records. If there is an existing SPF record for your domain, it will look something like this:
v=spf1 ip4:188.8.131.52. -all
This is an SPF record example. The characters specify the SPF version being used and the IP address(es) which are authorized to send emails from your domain. If you don’t find this TXT file in your DNS records, it’s time to create one. Here’s how:
It’s important to figure out all the IP addresses that you – or people in your team – will be using to send emails from your domain. If you fail to include an IP address, it may result in authentication failures, and your mails bouncing back or ending up in your receiver’s spam folder.
So, make sure to include all the IP addresses or all mail servers you’ll be using, like:
If you have multiple domains, you should create separate SPF records for each of them. Even if you don’t send emails from all your domains, you should still create SPF records for them. Leaving a domain without an SPF record makes it easy prey for email spoofing.
The next step is writing your SPF record. This is the easy part! All you have to do is paste the following line into your text editor – i.e. your SPF record TXT file:
v=spf1 ip4:[IP ADDRESS] -all
In the [IP ADDRESS] field, you should write out the IP address of your domain, like for instance:
v=spf1 ip4:184.108.40.206 -all
Now, as we’ve already mentioned, you’re likely to have more than one IP address from which you or your team will be sending emails. So, you’ll need to add the various IP addresses, like so:
v=spf1 ip4:[IP ADDRESS] ip4:[IP ADDRESS] ip4:[IP ADDRESS] -all
This is an example of what that may look like:
v=spf1 ip4:220.127.116.11 ip4:18.104.22.168 -all
The -all part at the end of the string specifies that all emails sent from any other IP address are unauthorized. This means that any email sent from your domain that isn’t included in the SPF record will be rejected and bounced back. It basically allows you to effectively prevent email spoofing.
If you’re adding a third-party domain that’s authorized to send emails in addition to the IP addresses, you need to add “include:[third-party domain URL]”. For instance:
v=spf1 ip4:22.214.171.124 ip4:126.96.36.199 include:example.com -all
When you’re setting up an SPF record for a domain you don’t use for sending emails, you need to close it off to all potential IP addresses, like so:
Save your SPF record, and you’re done! All that’s left is to publish your SPF record.
You can publish the SPF record in your domain’s DNS yourself, or ask your DNS management team or your host for help.
Setting up an SPF record is quite easy, and well worth the bit of effort you’ll need to put in. It improves email deliverability and prevents email spoofing from your domain, which can cause your website to get blacklisted and important work emails to get bounced back.
Make sure you also set up SPF records for non-sending domains, as they’re often targeted for email spoofing.
We include free DNS hosting with all domain registrations at Hostgeber, along with email forwarding and URL forwarding.