SPF Record Tags
Tag |
Description |
Example |
Version (v) |
The v tag is required and represents the protocol version. It MUST be the first tag in the SPF record. |
An example is v=spf1 |
mx |
if used on its own (mx) then it uses the A record IPs of the MX records for the current domain. If you put a domain or host name after it then it uses the A records of the MX records for that domain(mx:domain.com). This allows you to update your DNS without having to make a change to the SPF record.
|
mx or mx:mxtoolbox.com |
a |
If used on its own then it uses the A record of the current domain (a). If you put a domain or host name after it then it uses that A record(a:domain.com). This allows you to update your DNS without having to make a change to the SPF record
|
a or a:mxtoolbox.com |
ptr |
This tag is NOT recommended to be used per RFC 7208. This option will validate the PTR records to ensure that least one A record for a PTR hostname matches the original client IP. If used on its own (ptr) then it looks for the current domain. You can also specify a domain (ptr:domain.com) so that it validates against that domain. |
ptr or ptr:domain.com |
ip4 |
Specifies an IPv4 IP address (1.2.3.4) or IP CIDR Range (1.2.3.4/32) that is allowed to send mail for the domain.
|
ip4:1.2.3.4 (IP Address) or ip4:208.123.79.45/24 (IP Range) |
ip6 |
Specifies an IPv6 IP Address (2001:0db8:0123:4567:89ab:cdef:1234:5678) or IP CIDR Range (2001:0db8:0123::/36) that is allowed to send mail for the domain.
|
ip6:2001:0db8:0123:4567:89ab:cdef:1234:5678 (IP Address) or 2001:0db8:0123::/36 (IP Range) |
include |
This tag allows the inclusion of another domain or sub domain's entire spf record. This if often used if you use a 3rd party service to send mail or have multiple domains/sub-domains that send email. Example: include:_spf.google.com. By specifying this tag you are telling the recipient mail server that all of the IP addresses contained within _spf.google.com are verified sending sources for your email.
If you use multiple senders, you will put an include: tag before each domain(i.e. v=spf1 mx ip4:1.2.3.4 include:_spf.google.com include:mcsv.com ~all). This signals that both Google (include:_spf.google.com) and Mailchimp (include:mcsv.com) are approved senders and their IP addresses should authenticate for the domain.
|
include:_spf.google.com |
exists |
This tag performs an A record lookup on the domain used to see if one exists. If the A record exists then this passes.
|
exists:google.com |
all |
This tag MUST go at the end of your record and provides instruction of what a recipient should do if there is not a match to your SPF record. There are 3 common options used that allow a sender to tell the user to reject mail that does match the record (-all), treat mail as suspicious (~all), and a neutral recommendation (?all) which leaves it up to the recipient. In most cases, treating the mail as suspicious will work (~all) since it will generally cause non-matching messages to be marked as spam.
|
~all |
A normal record will have a mix of elements such as the following:
v=spf1 ip4:64.20.227.128/28 ip4:208.123.79.32/27 include:_spf.google.com ~all
The above record says that it is using SPF Version 1 and that the IP range 64.20.227.123/28 and the ip range 208.123.79.32/27 are allowed to send email for the domain. It then says that all the entries in the SPF record for _spf.google.com are allowed to send for the domain as well. It ends by saying that if a message comes from the domain, but does not match the SPF record then it should be treated suspiciously.