What is SPF record? How to check, create and publish SPF record for your domain

Email has become an essential element of our personal and professional life in the digital age. However, as email usage has expanded, so has the prevalence of email spam and phishing email attacks. To tackle this, email authentication systems such as SPF (Sender Policy Framework) have been developed to aid in the delivery of emails and the development of domain reputation. An SPF record is a quick and easy way to authenticate emails sent from your domain, and it can assist prevent unauthorized emails from reaching your receivers’ inboxes. In this blog post, we will look in depth at SPF records and how they may help you safeguard your email reputation and increase email delivery.

What exactly is an SPF record?

SPF (Sender Policy Framework) is an email verification standard that aids in the prevention of spam, spoofing, and phishing. You can provide a public inventory of senders who are authorized to send emails from your domain by adding an SPF record to your Domain Name System (DNS). Receiving servers can then cross-check that the email came from a server authorized to transmit on your domain’s behalf.

Here’s a real-world example: Assume you’re sending transactional emails with an email API like Postmark and marketing emails with email tools like Campaign Monitor. You will add both services to your roster of approved senders by using an SPF record that looks like this:

Example of SPF record:

v=spf1 a: mail.download.zone ip4:192.72.10.10 include:_spf.google.com ~all

How does SPF record work?

There are two “from” email addresses in emails: the “envelope from” address and the “header from” address. The “header from” address is displayed to the person receiving the email by mail clients. The user almost never sees the “envelope from” location.

Both are forgeries. However, because the recipient can see it, it is more usual to forge the “header from” address.

A domain’s SPF record is released in a Domain Name System (DNS) record. When you send an email, mail servers look up the domain in the “envelope from” address and retrieve the SPF record linked with it. Your email fails the SPF check if your sender IP address is not mentioned in the SPF record on your “envelope from” domain.

Because there is no SPF record to validate your sending IP address if your domain SPF records are not configured—or are incorrectly configured—ISPs may mistake your email address for a forged email address.

Mail servers frequently err on the side of caution and refuse mail from any domain that fails SPF authentication, even if the domain isn’t a known malicious sender and all other authentication protocols are in place.

In short, properly configured SPF records improve email deliverability by providing clear guidelines to recipient mail servers about who is allowed to send email from your domain name.

How to create an SPF record for your email?

SPF records are stored as a TXT entry in your site’s DNS. As a result, you can make an SPF record using a standard text editor. But first, you should determine whether you need to make a record.

A quick NSLOOKUP will show whether your domain has any published TXT entries. The most convenient method to perform a DNS lookup is to use an online NSLOOKUP tool. Here are some NSLOOKUP alternatives:

1. https://mxtoolbox.com/spf.aspx
2. https://www.spf-record.com/spf-lookup

To locate the SPF record for your domain, enter your domain name as it appears in your browser’s URL bar and look for TXT records. If your domain has a published SPF record, the outcome will look like this:

ip4:207.171.160.0/19 -all v=spf1

This string of characters specifies the SPF version you’re using, the IP addresses permitted to send an email on your domain’s account, and how to handle email received from unauthenticated senders.

If the DNS lookup result does not match this, you must make an SPF record and publish it as a new DNS record.

Fortunately, setting up an SPF TXT record is simple. It’s simple to do in a text processor. The majority of the job consists of preparation.

1. Determine all of the IP addresses from which you send emails

To avoid SPF authentication failures, you must be aware of all IP addresses that transmit email on behalf of your domain and include them in your SPF record.

Collect the IP addresses of all email services associated with your domain:

• Mail servers in the workplace.
• The web host.
• The messaging server of your ISP.
• Mail service is provided by the end customer mailbox provider.
• Mail servers are operated by third parties that send an email on your account.

2. Compile an inventory of all of your sending email servers

If you send emails from numerous domains, you must create an SPF record for each one. Otherwise, your email deliverability will be affected by the domain from which you transmit.

You should also set up SPF records for any domains that do not deliver email. A domain without a public SPF record is vulnerable to spoofing. Spoofers frequently spoof non-sending domains because spoofing a domain is simple if there is no authoritative inventory of qualified senders.

3. Write an SPF record

Copied and pasted the following into your SPF record.txt file:

v=spf1 ip4:[IP ADDRESS] -all

[IP ADDRESS] should be replaced with the IP address of your sending website. If you need to add more IP addresses, place a space after the last digit of the previous IP address and then type “ip4:[IP ADDRESS]” for each new IP address.

Add “include:[THIRD PARTY DOMAIN]” if you need to include a third-party name.

Finish your SPF entry with “-all.” This informs ISPs that any email sent from your name that does not have a valid SPF record will be rejected. It’s the safest method to terminate your SPF record.

After you’ve finished, your SPF record should appear like this:

ip4:12.34.56.78 ip4:23.45.67.89 include:thirdparty.example.com -all v=spf1

You will not include any IP addresses for a non-sending site. It will appear as follows:

all v=spf1

That’s all. Keep a copy of your SPF report. Your DNS server administrator is in charge of the final stage.

4. Publish your SPF record with your DNS

Finally, after you’ve defined your SPF entry, it’s time to publish it in your DNS. Mail clients such as Gmail, Hotmail, and others can then request it. Your DNS manager must post an SPF record into your DNS. This can be an internal role within your company, access to a dashboard provided by your DNS provider, or you can request that your DNS provider publish the record.

Please ensure that your SPF data does not have more than 10 lookups! Please keep in mind that ‘nested lookups’ will also be counted. If a ‘included’ domain has an A and MX lookup, both will qualify as lookups for your domain. You can use our free SPF record Checker to prevalidate your SPF record.

5. Access your DNS manager

Your SPF record needs to be published into your DNS;

1. Log in to your domain account at your domain host provider;
2. Locate the page for updating your domain’s DNS records (something like DNS management or name server management);
3. Select the domain of which you want to modify the records;
4. Open the DNS manager;
5. Log in to your domain account at your domain host provider;
6. Create a new TXT record in the TXT (text) section;
7. Set the Host field to the name of your domain;
8. Fill the TXT Value field with your SPF record (i.e. “v=spf1 a mx include: exampledomain.com ~all””);
9. Specify the Time To Live (TTL), enter 3600 or leave the default;
10. Click “Save” or “Add Record” to publish the SPF TXT record into your DNS.

It may take up to 48 hours for your new SPF record to take effect. Contact your domain host for assistance in adding TXT entries.

Obtaining Assistance from Your Email Service Provider

Your email service provider can also assist you in generating SPF records and guiding you through the process of publishing SPF records. Rejoiner checks the health of client email authentication setups and helps with email authentication protocol deployment and best practices implementation.

If your domain lacks an SPF record, adding SPF authentication will enhance domain security and email deliverability. Try adding one yourself, or inquire with your email service provider about how to improve your email authentication configuration.