email

How to Create an SPF Record

James Flower

2 min read
How to Create an SPF Record

Sender Policy Framework (SPF) records are a crucial mechanism for enhancing email security and ensuring that emails are sent from authorised servers. Before SPF, sent emails could pretend to be from anyone. SPF mitigates this issue by providing a way to verify the authenticity of the sender’s domain, which prevents spammers and malicious actors from spoofing email addresses within a domain.

What is an SPF Record?

An SPF record is a type of DNS TXT record that specifies which servers are authorised to send emails on behalf of your domain. If a server’s IP address or name isn’t on the list, the receiving server will prevent those emails being delivered or will mark them as spam.

Creating an SPF DNS Record

An SPF record consists of mechanisms (rules). The mechanisms specify the list of servers which are authorised to send email for your domain.

The most common mechanisms are in the list below.

  • a: Authorises the domain’s A record IP address.
  • mx: Authorises the domain’s MX record mail server.
  • include: Authorises the specified domain’s SPF record.
  • ipv4: Authorises the specified IPv4 address.
  • ipv6: Authorises the specified IPv6 address.

The last part of an SPF record is the all mechanism combined with a modifier, as shown below.

  • -all: Reject emails not matching the SPF rules.
  • ~all: Mark emails not matching the SPF rules as spam.
  • ?all: No strict policy.
  • +all: Allow all emails.

The all mechanism indicates how email which is not directly authorised by the domain’s SPF record should be handled.

SPF Record Examples

There are a wide range of SPF record setups that are possible, and each record depends on the mail requirements for your domain. However, examples of common SPR records are provided below.

Basic SPF Record

The SPF record below includes the SPF record rules from a different domain (such as from a hosted email provider), and indicates that emails which don’t match the rules should be rejected.

v=spf1 include:example.com -all

Multiple Sources SPF Record

The SPF record below indicates that emails from the IP address of the domain’s A record, the mail server indicated in the domain’s MX record, the IPv4 address 198.51.100.12, and the SPF rules from example.com should be authorised to send email for the domain. The final part indicates that any email which does not match the rules should be marked as spam.

v=spf1 a mx ip4:198.51.100.12 include:example.com ~all

No Sent Emails SPF Record

The SPF record below indicates that all emails should be rejected, as there are no other rules provided. This should be used for cases where email is not sent from a domain.

v=spf1 -all

Summary

SPF records help to prevent spoofed emails being delivered to the target recipient. This helps to protect the reputation of domain names and protect email recipients from receiving scam emails.

It is important to add an SPF record for a domain even if no emails are sent using it, as it allows mail servers to know a domain is not used for sending emails. As a result, the mail server should reject any emails from that domain and prevent them being delivered.