SPF Record Syntax

We’ve developed this comprehensive guide to increase your SPF understanding and help troubleshoot issues our application might have brought to your attention.  Having a valid and accurate SPF record will lead to improved authentication coverage, deliverability and help promote your desired level of security for your domains.

Don’t have a dmarcian account? You can still query the contents of your SPF record using our SPF Survey tool.

Create a free account now to have dmarcian monitor your SPF, DKIM and DMARC records for you automatically.  Get instance visibility in to delivery errors, phishing and impersonation attempts with dmarcian’s SaaS Platform.

Use the navigation menu just below to jump to the particular element of your SPF record in question.  Additional information about SPF can be found in the linked articles at the bottom of this document.

Mechanisms can be used to describe the set of hosts which are designated outbound mailers for the domain and can be prefixed with one of four qualifiers:

If a domain has no SPF record at all, the result is “None”. If a domain has a temporary error during DNS processing, you get the result “TempError” (called “error” in earlier drafts). If some kind of syntax or evaluation error occurs (eg. the domain specifies an unrecognized mechanism) the result is “PermError” (formerly “unknown”).

Evaluation of an SPF record can return any of these results:

This mechanism always matches. It should always go at the end of the SPF record.

The argument to the “ip4:” mechanism is an IPv4 network range. If no prefix-length is given, /32 is assumed (singling out an individual host address). Be careful to include a prefix-length greater than /16, as delivery to small smaller receivers may be impacted.

The argument to the “ip6:” mechanism is an IPv6 network range. If no prefix-length is given, /128 is assumed (singling out an individual host address).

All the A records for domain are tested. If the client IP is found among them, this mechanism matches. If the connection is made over IPv6, then an AAAA lookup is performed instead.

If domain is not specified, the current-domain is used.

The A records have to match the client IP exactly, unless a prefix-length is provided, in which case each IP address returned by the A lookup will be expanded to its corresponding CIDR prefix, and the client IP will be sought within that subnet.

All the A records for all the MX records for domain are tested in order of MX priority. If the client IP is found among them, this mechanism matches.

If domain is not specified, the current-domain is used.

The A records have to match the client IP exactly, unless a prefix-length is provided, in which case each IP address returned by the A lookup will be expanded to its corresponding CIDR prefix, and the client IP will be sought within that subnet.

The hostname or hostnames for the client IP are looked up using PTR queries. The hostnames are then validated: at least one of the A records for a PTR hostname must match the original client IP. Invalid hostnames are discarded. If a valid hostname ends in domain, this mechanism matches.

If domain is not specified, the current-domain is used.

If at all possible, you should avoid using this mechanism in your SPF record, because it will result in a larger number of expensive DNS lookups.

Perform an A query on the provided domain. If a result is found, this constitutes a match. It doesn’t matter what the lookup result is – it could be 127.0.0.2.

When you use macros with this mechanism, you can perform RBL-style reversed-IP lookups, or set up per-user exceptions.

The specified domain is searched for a match. If the lookup does not return a match or an error, processing proceeds to the next directive. Warning: If the domain does not have a valid SPF record, the result is a permanent error. Some mail receivers will reject based on a PermError.

Trust relationships — The “include:” mechanism is meant to cross administrative boundaries. Great care is needed to ensure that “include:” mechanisms do not place domains at risk for giving SPF Pass results to messages that result from cross user forgery. Unless technical mechanisms are in place at the specified other domain to prevent cross user forgery, “include:” mechanisms should give a Neutral rather than Pass result. This is done by adding “?” in front of “include:”.

Modifiers are optional. A modifier may appear only once per record. Unknown modifiers are ignored.

The SPF record for domain replace the current record. The macro-expanded domain is also substituted for the current-domain in those look-ups.

If a ‘redirect’ modifier is used, the SPF record should not also include the ‘all’ mechanism.  If both are present, the ‘redirect’ modifier is ignored.  Any ‘redirect’ modifiers beyond the first will be ignored.

If an SMTP receiver rejects a message, it can include an explanation. An SPF publisher can specify the explanation string that senders see. This way, an ISP can direct nonconforming users to a web page that provides further instructions about how to configure SASL.

The domain is expanded; a TXT lookup is performed. The result of the TXT query is then macro-expanded and shown to the sender. Other macros can be used to provide an customized explanation.

The exp modifier may only contain printable ASCII characters.

Over the past decade, it’s become increasingly easier to send email.  Countless Sources have entered the marketplace, each providing a specialized toolset tailored to address modern day needs of marketers, developers and small businesses.  Along with this expansion, email authentication, specifically SPF, has become an increasingly complex matter to navigate.

Within the SPF RFC specification (essentially internet law) their lies a practical limit of how many “DNS-querying mechanisms” a single SPF record can contain. That limit is ten. The ten max lookup states that a domain administrator (that’s you!) will not require the likes of Gmail or other receivers to conduct more than ten consecutive DNS lookups to see if you authorize a particular IP address to send mail on your behalf.

As it has become somewhat commonplace for any single organization to authorize a large number of disparate netblocks (due to the outsourced nature of email infrastructure), there remains what seems like the constant and unnecessary encroachment on the ten max lookup.  This limit however remains entirely practical and should be observed to ensure timely delivery and favorable inbox rates.  Further, the solution to avoid the limit is squarely addressed by other mainstream email best practices, long encouraged by major inbound receivers such as Gmail and Yahoo.

The single most practical solution to avoid the ‘too many lookups’ issue is to make use of sub-domains.  As each discrete sub.domain is afforded it’s own ten lookup max, SPF is effectively boundless.  Example:  hello.com is permitted ten lookups + sub.hello.com is permitted ten lookups.  Plainly put, you should never run in to the ten max lookup condition if you are correctly segmenting different mail streams (eg. transactional, corporate, marketing, etc.) on to discrete name space.

In this sub section “delivery tips’ of the Gmail postmaster site, it is recommended to;

• Use separate email addresses
• Send mail from different domains and/or IP addresses

In summary, you shouldn’t ever run in to the 10 lookup max. If you do, we’ve outlined some additional strategies and knowledge-base materials on how to navigate.

Additional Reading:

– Video: How SPF works – Link
– Additional reading on ‘too many lookups’ – Link
– Common misconceptions on SPF – Link
– SPF Surveyor Tool – Link