How To Create An SPF Record: Best Practices
For Email Authentication

The Sender Policy Framework (SPF) is an essential technique for authenticating emails, designed to combat email spoofing and phishing schemes. It enables domain administrators to designate which mail servers are permitted to send messages on behalf of their domain. Upon receiving an email, the mail server of the recipient consults the SPF record found in the sender’s DNS configuration to confirm whether the email comes from an approved source.

Properly implementing SPF enhances both email deliverability and security while also decreasing the likelihood of being marked as spam. This article will guide you through the process of creating an SPF record step-by-step and outline the best practices for effective email authentication.


What is an SPF Record?


An SPF record is a type of TXT record incorporated into a domain's Domain Name System (DNS). This record specifies which IP addresses and mail servers are authorized to send emails for that domain. Emails dispatched from servers not on this approved list could be flagged as spam or potentially blocked.



how-to-create spf-record



How to Create an SPF Record


1. Identify Authorized Email Servers

Before setting up an SPF record, identify every mail server and external service that dispatches emails using your domain. This encompasses:

  • Internal email servers like Microsoft Exchange, Postfix, or Sendmail

  • External email platforms such as Google Workspace, Microsoft 365, Mailchimp, or Salesforce

  • Web servers and applications that send out transactional emails


2. Understand SPF Syntax and Mechanisms

SPF records adhere to a particular format and consist of components that indicate which email servers have permission to send emails on behalf of a domain. The frequently used components are:

  • v=spf1: Indicates the version of SPF being used.

  • ip4: and ip6: Designate permitted IPv4 and IPv6 addresses.

  • a: Grants permission for the domain's A record to send emails.

  • mx: Allows mail servers mentioned in the domain's MX records to send emails.

  • include: Permits third-party email services to send emails.

  • all: Defines the response for unauthorized emails (-all, ~all, ?all).


3. Construct the SPF Record

Here’s a simple example of an SPF record:

v=spf1 ip4:192.168.1.1 include:_spf.google.com -all

Breakdown:

  • v=spf1: Indicates this is SPF version 1.

  • ip4:192.168.1.1: Grants permission to this specific IPv4 address.

  • include:_spf.google.com: Permits the use of Google’s email servers.

  • -all: Denies emails from any sources not explicitly authorized.


4. Publish the SPF Record in DNS


After generating the SPF record, it needs to be incorporated into the DNS configuration for your domain:

  • Access your DNS hosting service (such as Cloudflare, GoDaddy, or Namecheap).

  • Go to the section dedicated to DNS management.

  • Create a new TXT record.

  • Input your domain name as the hostname (for example, example.com).

  • Insert the SPF record into the designated TXT record field.

  • Save your modifications and wait for the DNS changes to propagate.


5. Verify and Test the SPF Record

Once you've published the SPF record, ensure its accuracy by utilizing various online verification tools, including:

  • MXToolbox (https://mxtoolbox.com/SPFRecordLookup.aspx)

  • Google Admin Toolbox (https://toolbox.googleapps.com/apps/checkmx/)

  • Kitterman SPF Record Testing (https://www.kitterman.com/spf/validate.html)

These resources will help identify any mistakes and verify the validity of your SPF record.



how-to-create spf-record-1-



Best Practices for SPF Implementation


Use include: for Third-Party Services

When utilizing various third-party email services, opt for the include: method rather than specifying each IP address. For instance:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all


Avoid Exceeding SPF Lookup Limits

SPF restricts 10 DNS lookups. Surpassing this threshold may lead to failures in SPF validation. To prevent this issue:

  • Combine several include: directives.

  • Utilize ip4: or ip6: addresses rather than depending on numerous include: entries.

  • Consider using SPF flattening services if necessary.


Use -all for Strict Authentication

The -all mechanism rigorously upholds SPF by denying any senders that aren't authorized. If you're in the testing phase, consider using ~all (soft fail) before moving to -all.


Monitor SPF with DMARC Reports

Set up DMARC (Domain-based Message Authentication, Reporting, and Conformance) to gain visibility into issues with email authentication. Here’s a simple example of a DMARC record:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com;

This configuration places unauthorized emails in quarantine and forwards reports to the designated email address. Visit www.autospf.com for more details.