Sender Policy Framework (SPF) is a publicly (over the Internet) accessible DNS record that contains all IPs you authorize to send legitimate emails using your domain. We strongly recommend creating an SPF record to ensure that external recipients recognize spoofed emails sent using your domain and to avoid delivery issues with some recipients.

You can use any public DNS checker tool (for example, MX Toolbox) to check if your domain has an SPF record configured.

You can use this public tool to check if a certain IP address is included in the SPF record of a domain.

 
 

Where can I create or modify my SPF record?

SPF record is a DNS record so it can only be created or updated in your domain’s DNS hosting provider’s control panel. Although your DNS hosting provider can be the same as your website, domain or mail provider, they are often all different. For steps on how to determine who your DNS hosting provider is, read the Knowledge Base article How Do I Find The DNS Provider Of My Domain?

Once you’ve determined who your DNS hosting provider is, log into their control panel and find where you can manage DNS records for your domain. The location will be different depending on the provider - check their documentation, search the Internet or contact their Support to find out where to navigate in their control panel. Here are instructions for Intermedia and for some of the most popular DNS hosting providers:

 

What settings should I use for my SPF record?

Once you've opened the DNS records editor in your DNS hosting provider's control panel, you will need 3 settings to configure or update an SPF record:

Important: first, check if you already have a TXT record that starts with v=spf1 and if you do, click to Edit it. Only if you don't, click to Add a new record.

DNS record type: TXT

Note: some DNS hosting providers (such as Amazon DNS Hosting) require you to set up SPF record of two types - TXT and SPF, instead of publishing only the TXT record type. In this case, the SPF record type should have the exact same value as the TXT one.

Host name/host/name: @ (this character stands for your domain)

Value:

  • If you are only sending emails from Intermedia the value should be:

    v=spf1 include:spf.intermedia.net ~all

  • If you are sending from 3rd party servers as well, the value should include Intermedia servers as well as all your 3rd party servers:

    v=spf1 include:spf.intermedia.net a mx ip4:your_smtp_server_IP include:your_smtp_server_spf_record ~all

    Below are some syntax rules that need to be taken into consideration when configuring an SPF record that includes more than one mechanism:
    • Every mechanism should be added after v=spf1 at the beginning of the record and before ~all/-all at the end. Any mechanism that is added after ~all/-all will not be considered part of SPF.
    • Make sure there's exactly 1 space before and after each mechanism.
    • Make sure there’s only 1 SPF record configured for your domain. Two or more separate SPF records will result in an SPF check error. This record should include all IP ranges you are sending emails from.
    • There is a hard limit of 10 lookups for SPF records. Any mechanism that doesn't include an IP or IP range explicitly (so any other than ip4 or ip6) causes 1 additional lookup - meaning a need to check another DNS record to find IPs (e.g. A record for the a mechanism, another SPF record for include, this other SPF might also contain the include mechanisms that will cause additional lookups which will add up, etc).
    • There is a hard limit of 255 characters for SPF records.

Important: due to the distributed nature of DNS, the SPF record you create following the instructions in this article may take up from 15 min to 72 hours to propagate across the Internet. To check if the propagation is finished, open this link, enter your domain and click Search. You will see if the record has propagated to different locations (not all locations must be green just most of them).

There are two main SPF policies you can specify for emails that are coming from IPs not included in the SPF record:

  • ~all - If the SPF check fails, the result is a SoftFail. It means you recommend to not reject the email solely on this result but to subject the email to closer scrutiny than normal.
  • -all - If the SPF check fails, the result is a HardFail. It means you recommend to reject the email if it's not coming from the IPs specified in the SPF record.

You can check if your SPF value syntax is correct using this online tool.

See this RFC document for full information on SPF syntax.

 

What can and must be included in SPF?

The SPF record can include:

  • The IP ranges of your mail provider’s outgoing servers
  • The IP ranges of your 3rd party email protection or encryption provider
  • Your website IPs if your website is used to send emails out
  • IP of your copier/scanner
  • The IP ranges of any other 3rd party app that you are using to send emails directly to the Internet (i.e. not through one of the servers mentioned above, so for example, there’s no need to include every user’s device’s IPs where they are using Outlook or another mail app as they connect to the mail provider’s outgoing servers to send emails; for the same reason there is also no need to include an app that uses authenticated SMTP relay)

The SPF record must include all IPs that you are sending emails from to avoid delivery issues.

 

How can I read SPF?

To read an SPF record, you need to understand its components:

  • v=spf1 – every SPF record begins with this component, it identifies this TXT record as SPF (as TXT records are used for many other purposes).
  • Mechanism: ip4, ip6, a, mx, include, all. They are used to designate a set of IP addresses as being authorized or not authorized to use your domain for sending mail.
    ip4/ip6: this mechanism explicitly tells you which IP or IP range is authorized to send emails using this domain.
    A/a: this mechanism tells you to check the IPs under the A record of the domain you are checking the SPF record for (if there's no domain specified using the colon character after A/a:) or of the domain after the colon (if there is).
    MX/mx: this mechanism tells you to check the IPs under the MX record of the domain you are checking the SPF record for (if there's no domain specified using the colon character after MX/mx:) or of the domain after the colon (if there is).
    include: this mechanism tells you to check an SPF record for the domain after the colon character for the list of authorized IPs. For example, include:spf.intermedia.net tells you to check SPF for spf.intermedia.net and when you do, you will see the list of IPs Intermedia send from.
    all: this mechanism is used as the rightmost one in a record to provide an explicit default. This mechanism always comes with a qualifier (usually or ~ - see the next bullet point of this section).
  • Qualifier: +, -, ~, ?. They are used before each of the mechanisms in the SPF record and tell you whether the set of IPs in the given mechanism is authorized or not to send from this domain (so it provides a policy for this particular mechanism). The use of a qualifier is optional and defaults to +.
    + (Pass) - the IP is authorized to send emails using this domain
    - (Fail)  - the IP is not authorized to send emails using this domain
    ~ (SoftFail) - somewhere between a Fail and a Neutral. The domain believes the host is not authorized but is not willing to make that strong of a statement
    ? (Neutral) - The domain owner has explicitly stated that he cannot or does not want to assert whether or not the IP address is authorized - it's almost the same as not including the IP in SPF

Example: v=spf1 a include:spf. intermedia.net include:spf.ess.barracudanetworks.com ~all means that the list of allowed IPs is as follows:

  1. The IPs from the domain’s A record (a)
  2. The IPs from the SPF record of spf. intermedia.net (include:spf. intermedia.net)
  3. The IPs from the SPF record of spf.ess.barracudanetworks.com (include:spf.ess.barracudanetworks.com)
  4. If the sending IP of an email is not included in any of the IPs above, the SPF check gives a SoftFail result (~all)

You can use this public tool to check whether a certain IP address is included in the SPF record of a domain.

There are more components to SPF, but these are the main ones and knowing them will let you read and construct SPF in most cases.

 

How does SPF work?

There are 2 kinds of SPF checks that can be performed on all inbound emails: SPF check and SPF Alignment check.

 

SPF check

The SPF check verifies whether the sending IP address of the email is included in the SPF record of the sending domain. The check is performed for the domain in the Envelope from (or Mail From/Return address) address – this address is usually hidden from the recipient and only visible in the email headers. There are 3 possible results of the check:

  1. If the sending IP is included in the SPF record, then the result of the check is Pass and the email is considered authenticated.
  2. If the sending IP is not found in the SPF record, then the result of the check is Hard fail or Soft fail depending on the policy configured by the sender in their SPF record.
  3. No SPF record for a domain or SPF record with incorrect syntax will result in SPF failure.

The action that will be applied to the emails that fail the SPF check depends mostly on the recipient side’s policy – the SPF record only contains a recommendation by the sender but the recipient decides whether to accept these emails, send them to Junk or reject them.

 

SPF Alignment check

The SPF alignment check verifies if the domain part of the Header from (the visible sender address) and Envelope from (the hidden sender address) addresses align. An SPF Alignment Pass result is given if one of these is true:

  • there is an exact match to the domains in the Header from & Envelope from addresses (e.g. example.com in the Header from and example.com in the Envelope from);
  • there is a parent/child match (e.g. example.com in the Header from and blue.example.com in the Envelope from). Only Envelope from address is allowed to use a child domain (i.e. blue.example.com). If it is the Header from address that uses a child domain, the check fails.

Read this Knowledge Base article for a more detailed explanation of SPF Alignment with examples.

Is this answer helpful?

Haven't found what you're looking for? Search the Support Center!
Print Article
Article Information

Article ID: 24972

Last updated on: 10/11/2023 10:29 AM

Product: {{item.Name}}{{$index < (answer.Products.length-1) ? ', ' : ''}}

Internal Only
Partner Article

Tags: {{item.trim()}}{{$index < (answer.Keywords.length-1) ? ', ' : ''}}

Attachments:
Related Articles