Sender Policy Framework (SPF) is an email authentication protocol that allows the owner of a domain to specify which mail servers they use when sending email from that domain. Brands sending email publish SPF records in the Domain Name System (DNS) and list which IP addresses are authorized to send email on behalf of their domains.
SPF records are examined when mailbox providers check to see if the email-sending server was authorized to do so by your sending domain. It is a great way for mailbox providers to detect forged email.
SPF checks look at the MailFrom (MFrom or Return-path) domain to determine if the sending IP address is authorized. As an example, if you receive an email from firstname.lastname@example.org from a server with an IP address 200.100.00.1, the SPF check asks the company.com domain if the IP address 200.100.00.1 should be allowed to send email on its behalf.
How to set up a SPF record
Use the steps below to authenticate your email using SPF:
- Determine the domains that you use to send your email campaigns
- Determine the IP addresses that are used to send the emails
- If you use an Email Service Provider (ESP), ask them for your sending IP addresses. If you have an in-house system, speak to your system administrator or email administrator.
- If you use the same domain for your email campaigns that you do for your corporate email, check with your IT department and get the IP addresses used for your corporate email.
- It’s recommended that you separate corporate email from bulk marketing email on to a different sending domain and IP address in order to reduce the risk of corporate email encountering deliverability problems.
- Create an SPF record
- SPFWizard.net provides a great wizard for generating SPF records.
- Publish your SPF record to the Domain Name System (DNS) for your sending domains
- In order for mailbox providers receiving servers to check your SPF record, it must be publicly visible. Therefore, you must publish your SPF to the DNS server for your domain. If you are using a hosting provider, such as a 123-reg or GoDaddy, you should contact them. They may provide a simple process for making the updates through their support website or support team.
- If your DNS records are administered by your ESP or if you are unsure, contact your IT department for support. You need to copy the SPF record from the wizard and apply it to your DNS as a TXT record.
- Make sure that all sending IPs are added to the SPF record.
- Set the strictness level of the SPF record to either a Softfaill (~all:) or Hardfail (-all). Many senders use Softfail (~all) at first to make sure there are no errors and to account for all sending IP addresses. Softfail (~all) tells the mailbox provider to accept unauthorized email but mark it as suspicious. Once you are confident that all you have all your sending IP addresses included in the SPF record, change the SPF record to Hardfail (-all). Hardfail (-all) tells the mailbox provider to reject unauthorized email. This is recommended as a best practice.
- Also, make sure you do not use Pass (+all) or Neutral (?all) as these effectively make the SPF record useless.
- Check the validity of your record using a tool such as Kitterman.
After these steps are completed, any organizations you send email to should now be able to see your SPF record.
Here’s a full example of an SPF record as seen in the DNS for a domain:
example.com. IN TXT "v=spf1 mx ip4:126.96.36.199 -all"