How to Create and Add an SPF Record
In this article we explain:
- What is an SPF Record?
- How to Add an SPF Record
- How to Create an SPF Record
SPF stands for Sender Policy Framework and is a free email authentication technology that has been around since 2003. It is a way to verify that a mail server (IP address) is authorized to send email for a specific domain; along with DKIM, SPF is a foundation for DMARC. You can find more information about SPF in general here.
Already have an SPF Record but not sure if its setup correctly? Use our free SPF Surveyor to perform an SPF Check.
What is an SPF Record?
An SPF record or SPF TXT record is a record that is part of your domain’s DNS — similar to a DMARC record. It contains a list of all the IP addresses that are permitted to send email on behalf of your domain.
When a sender tries to hand-off email to an email “receiving” server for delivery, the email server checks to see if the sender is on your domain’s list of allowed senders. If it is, then a link has been established between the piece of email and the email domain.
With an SPF record in place, you protect your email domain against spoofing and phishing attacks by letting the world know which servers are authorized to send authenticated email on your behalf.
Read more about the SPF Record Syntax.
How do I add an SPF Record?
To add an SPF record, you will need access to the DNS control panel for your domain. If you are using a hosting provider, the process is fairly straightforward, and you should reference their supporting documentation. If you are uncertain, you may wish to contact your IT provider for support.
Note: Your new SPF record can take up to 48 hours to go into effect.
How do I create an SPF Record?
Start by gathering a list of all your domains, as each SPF record refers to a specific domain. Be sure to include inactive (or “parked”) domains that don’t send email in order to protect them from abuse as well.
You will also need to identify everything that sends email from your domain(s), including sources (third-parties) that send emails on behalf of your domain. This includes:
- Mail Servers (both web-based like Gmail or via your ISP and in-office like Microsoft Exchange)
- ESPs (Email Service Providers – companies that provide email marketing/bulk email services)
- Miscellaneous services (e.g., support/ticketing systems, payment providers, e-merchant services, etc.)
v=spf1 ip4:126.96.36.199 ip6:2001:db8:85a3:8d3:1319:8a2e:370:7348 include:thirdpartydomain.com ~all
- Start with the SPF version v=spf1. This indicates that it is an SPF record. It will always be v=spf1, as other SPF versions have been discontinued.
- The SPF version tag should be followed with all IP addresses that are authorized to send email on behalf of your domain.
For example: v=spf1 ip4:188.8.131.52 ip6:2001:db8:85a3:8d3:1319:8a2e:370:7348
- Next comes the “include” statement, which is needed for every third-party organization that sends email on your behalf.
For example: v=spf1 ip4:184.108.40.206 ip6:2001:db8:85a3:8d3:1319:8a2e:370:7348 include:thirdpartydomain.com
You should consult with these third parties to discover which domain to use as a value here. Also, ESPs typically publish SPF records for sending domains on your behalf, so you will want to verify with them as well.
- The end of the SPF record is the “all” tag. It is important because it indicates what policy and how strictly it should be applied when a receiving server detects a server which is not listed (authorized) in your SPF record.The “all” tag has the following basic options:
- -all – (fail) non-authorized emails will be rejected*
- ~all – (softfail) non-authorized emails will be accepted but marked*
- +all – this tag allows any server to send email from your domain, so we advise strongly against it.
*You can find more information about the differences between fail and softfail here.
For example: v=spf1 ip4:220.127.116.11 ip6:2001:db8:85a3:8d3:1319:8a2e:370:7348 include:thirdpartydomain.com ~all.
This is a basic overview of what an SPF record can contain. You can find a deeper look into SPF syntax here.
For your domains that do not send email (inactive or parked domains), it is recommended to publish an SPF policy that doesn’t include any IP addresses to prevent it from being abused. Here’s an example record for a non-sending domain: v=spf1 -all
Note: SPF records cannot be over 255 characters long, and cannot include more than ten “include” statements, also known as “lookups.”
To inspect and verify your SPF records, head over to our free SPF Survey.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.