What Is an SPF Record?
A Sender Policy Framework (SPF) record is a type of DNS record Mail Administrators use to publish a list of trusted sources of email. This practice allows domain owners to specify which IP addresses and 3rd-party email vendors are authorized to send email on their behalf.
Spammers often attempt to send emails that appear to come from your domain, which is called spoofing. SPF helps message recipients know where emails from your domain should be coming from and that they're NOT spoofed.
Nearly all inbound mail servers use SPF as a primary indicator of whether an email will hit the inbox. Formerly, SPF was the only standard an email needed to be largely trusted by mailbox providers. SPF is now complemented with other authentication methods, such as DKIM, DMARC, and the newest standard, BIMI.
Most inbound systems today want to see all of these methods applied to an email as a means to prevent spoofing/phishing attacks and to help legitimate email have higher delivery rates. If you're new to the email world or have yet to even add SPF to your outbound email campaigns, it's imperative to create a record.
How Does an SPF Record Work?
SPF records work by providing a list of authorized IP addresses and senders for the domain that's sending the email. Now, when we say domain, we don't mean the friendly one that you'll see when you open your inbox.
This domain is the MailFROM domain, and it'll only be seen when you look at the headers of an email. This particular domain is much harder (not impossible) for spoofers to impersonate, which is why it was chosen for SPF.
Basically, when an inbound server receives an email (this would be the recipient of the email), that server looks for this MailFROM domain. Once it finds this domain, it performs a DNS lookup to get a TXT record for that domain that starts with v=spf1. Inside this record is the list of trusted IP addresses and senders. An example is provided below:
v=spf1 a mx ip4:123.456.789.101 include:_spf.google.com ~all
From here, the server looks for the IP address that sent the email and checks to see if that IP address is included in the trusted list. If it is, it passes SPF Authentication. If the SPF record doesn't contain that IP address, the message fails SPF Authentication.
SPF Record Format
SPF records are typically defined using the TXT record type. SPF records are defined as a single string text. For example:
v=spf1 a mx ip4:123.456.789.101 include:_spf.google.com ~all
Terms are comprised of mechanisms and modifiers. The following mechanisms are defined:
- all
- include
- a
- mx
- ip4
- ip6
- exists
Note: The ptr type is also defined, but it shouldn't be used.
SPF Record Setup
Creating an SPF record helps combat spammers trying to use your domain as a cover to send spam or other harmful email to unknowing recipients. The fraudsters pretend to be your company, allowing them to phish your clients for private account information and/or abuse your brand's reputation.
A proper SPF record will be checked by other servers and, when they discover spam disguised as your domain, the respective server will reject it. For more information on how to set up an SPF record, click here.