SPF records setup guide

Individuals and corporations use email as their primary communication method. However, it is a popular target for criminal operations like phishing and spoofing. Email authentication techniques, such as SPF records, help prevent these attacks. In a nutshell, SPF is a whitelist of IP addresses that are allowed to send emails on behalf of a particular domain. In this article, we will explain in detail what SPF records are and how they help protect your email communications.

What is an SPF Record?

SPF is an abbreviation for Sender Policy Framework. This email authentication system prohibits spammers from using your domain to send messages. An SPF record is a TXT record for the Domain Name System. It specifies which servers are whitelisted to deliver messages using your domain's name. Specifying which mail servers are permitted to transmit messages for a specific domain helps mail servers check the validity of incoming messages. It reduces the danger of conventional identity theft tactics such as phishing and spoofing. If you see an SPF record in a CNAME instead of a TXT record, it's because the SPF record is delegated to another domain's SPF record. This other domain might have another CNAME involved, but in the end, the SPF record will still be resolved to the final TXT record.

Importance of SPF Records

Implementing SPF records is important for various reasons:

Prevents domain spoofing: SPF records help prevent attackers from sending communications that appear to be from your domain by validating the sender's IP address.

Improves email deliverability: Emails that do not pass SPF checks are often flagged as spam or denied by the recipient's mail server. With proper SPF implementation, your legitimate communications are more likely to be delivered to the intended recipient.

Compliance with DMARC policies: DMARC is a broader framework that incorporates SPF and DKIM. It also allows domain owners to specify how to handle unauthorized emails. Without a valid SPF record, the DMARC policy may not function effectively.

Example of an SPF Record

v=spf1 ip4:192.0.2.1 include:_spf.example.com -all

This SPF record allows the IP address 192.0.2.1 and any IP addresses included in _spf.example.com to send emails on behalf of the domain.

Basic Structure of SPF Records:

An SPF record consists of a version, a series of mechanisms, qualifiers, and a modifier.

Version

SPF record starts by specifying the version i.e., v=spf1 (there is currently no other version available).

Mechanisms

The components of an SPF record. They define the conditions under which an email should pass or fail the SPF check.

Mechanism	Explanation	Implementation
ip4 and ip6	Specifies an IPv4 or IPv6 address range that is allowed to send emails for the domain.	ip4:<ipv4-address> ip6:<ipv6-address>
a	Refers to the A (address) record of the domain. It allows emails from the domain's IP address.	a a/<prefix-length> a:<domain> a:<domain>/<prefix-length>
mx	Refers to the domain's MX (Mail Exchange) records. It allows emails from the mail servers listed in the MX records.	mx:<domain>
include	Includes the SPF record of another domain. This is useful when a third party, like an email service provider, is sending emails on your behalf.	include:<domain>
exists	Checks if a domain resolves to an address and is typically used for complex configurations.	exists:<domain>

Qualifiers

They are used to specify the action to take when a mechanism matches or fails.

Qualifiers	Result	Explanation	Implementation
+	Pass	Default qualifier that suggests the SPF record has no errors or warnings. So, it is allowed to send email.	+ip4:192.168.2.1 same as ip4:192.168.2.1
?	Neutral	SPF record explicitly states that no specific action should be taken.	?all
~	Soft Fail	Accepts the email but marks it as suspicious (often placed in spam).	~all
-	Fail	Rejects emails if the sending server does not match the SPF record.	-all

Modifiers

Modifiers provide additional information or instructions but are not commonly used.

Modifiers	Explanation	Implementation
exp	The exp modifier is used to explain to you (senders) why your message was not accepted.	exp=<domain>
redirect	It specifies another domain whose SPF record should be evaluated instead of the current one. When redirect= is used in an SPF record, the remaining part after it will not be processed.	redirect=<domain>

How SPF Works?

SPF allows recipient mail servers to perform a lookup on the DNS server of the sending domain to find an SPF record.

Step 1: The mail server conducts a DNS lookup to find the SPF record for the sending domain upon receiving an email.

Step 2: It checks the sending server's IP address against the IP addresses provided in the SPF record.

Results of Lookup:

1. Pass: When the IP address matches, the server will deliver the email.

2. Fail: If the IP address does not match, the server will refuse email delivery or mark it as spam.

3. Neutral: The domain owner has explicitly stated that they cannot or do not want to assert whether the IP address is authorized.

4. SoftFail: The IP address is not authorized, but the domain is in testing mode for SPF. The email should be accepted but marked.

5. TempError: A temporary error occurred during the check. The email can be accepted or temporarily rejected.

6. PermError: A permanent error occurred during the check, such as an invalid SPF record. The email should be rejected or accepted with a low reputation score.

7. None: The domain does not have an SPF record or the SPF check cannot be completed.

SPF Lookup Limit

The "SPF Lookup Limit" refers to the maximum number of DNS lookups that can happen when your email provider checks your SPF record. Every time an include, a, mx, or similar directive is used in your SPF record, it triggers a DNS lookup.

The recipient's mail server can only do up to 10 DNS lookups. Going above this can lead to the failure of SPF checks, which in turn may disrupt the delivery of email messages.

To avoid exceeding the lookup limit:

1. Simplify the SPF Record: Do not add too many domains.

2. Use ip4 and ip6 mechanisms: These mechanisms do not require additional DNS lookups. 

3. Use Subnets: Group the IP address into subnets to decrease the number of entries.

4. Merge SPF Records: Combine multiple SPF records using tools such as the DmarcDkim.com SPF merge tool.

Risks of Not Having SPF Records

The following are the risks of not having an SPF Record:

• Leaves your domain vulnerable to phishing and spoofing attacks. 

• Attackers can easily send fraudulent emails that appear to come from your domain. 

• Damage to your domain's reputation and significant email deliverability issues. 

Marking your email as spam reduces their chances of reaching the intended recipients.

Why SPF Verification Fails

The following factors can cause SPF verification to fail:

Cause	Troubleshooting	Explanation
Incorrect IP Addresses	If the sending server's IP address is not listed in the SPF record, the email will fail the SPF check.	Regularly review and update your SPF record.
Missing Include Domains	If third-party services are not properly included in the SPF record, emails sent via those services will fail the SPF check.	Monitor SPF-related bounce messages to identify issues.
Exceeding Lookup Limit	Surpassing the 10-DNS lookup limit can lead to failures.	Use SPF check tools to validate your SPF record.
Complicated setup	Usage of modifiers in combination with other mechanisms.	Avoid using redirect= unless necessary, prefer include:

How to Setup an SPF Record?

Follow the given steps to set up an SPF Record in your domain provider’s DNS settings:

Step 1: Log in to your domain registrar or hosting provider's control panel.

Step 2: Open the DNS dashboard/management center.

Step 3: Enter your SPF record in the TXT record field.

Step 4: Apply the changes and wait up to 24 hours for DNS propagation.

FAQs

How do I delete my SPF Record? You can delete the SPF record from your domain's DNS settings. 

How often should I update my SPF record?  Update your SPF record whenever you add new mail servers or third-party services that send emails on your behalf.

What does “no SPF record” mean? No SPF record means your domain does not have a configured TXT record in your DNS.

Where can I find the SPF Records? Check DmarcDkim.com articles to find out the SPF values of various email services and how to configure them for your domain.