The Importance of SPF Record and How To Set It

What is SPF

SPF, or Sender Policy Framework, is a method of email authentication that helps to prevent email spoofing. In email spoofing, someone pretends to be the sender of an email by forging the sender’s email address. 

Using SPF, the true owner of an email domain can specify which servers and IP addresses are allowed to send emails from that domain. This information is published in the domain’s DNS records. When an email is received, the receiving server checks the SPF record to verify that the email is indeed coming from an authorized server for that domain. If not, it may mark the email as spam or reject it. 

It is important to note that SPF only authenticates the sending server and does not necessarily verify the sender’s identity. For more thorough email authentication, it is recommended to combine SPF with DKIM, DMARC, and BIMI which can result in major improvements to your email security.

Why use SPF record for your emails

SPF records are fundamental to email security because they guarantee that your domain is only sending emails from approved servers. 

Let’s explore the benefits of having a properly configured SPF email policy:

Security from email spoofing

An SPF record assists in preventing spoofing and phishing scams by affirming that the IP address sending the email is linked to the domain.

Improves deliverability

By securing your email server with SPF, you make it more difficult for attackers to use your domains to send spam. This helps protect your domain from ending up on global blacklists and DNS blacklists, and as a result, generally improves your email deliverability.

Improves domain reputation

By establishing SPF email policies, you are demonstrating to email services and blacklist sites. This decreases the likelihood of your emails being incorrectly marked as spam and improves your domain reputation with firewalls and other cybersecurity databases.

How it actually works

Scammers often attempt to masquerade as another company by altering the address in the FROM field. However, this scam can be easily thwarted if an SPF record is set up. With an SPF record in place, any email coming from a fraudster posing as someone else will be flagged as invalid by recipient mail servers. 

The SPF record contains the main criteria for verification: the sender’s domain and IP address. By comparing these two criteria of the sender in the SPF record with those of the incoming message, the recipient server makes a decision about the security of the message.

In short, the SPF algorithm works in several stages. For example, take sending a message from [email protected] to [email protected] using the Selzy email service provider:

1. The Selzy server with (for example) 1.3.4.7 IP address sends an email from [email protected] to [email protected].
2. Anydomain.com email server checks the DNS TXT type record for Selzy.com domain and detects the sending domain IP.
3. Anydomain.com email server looks for the IP address 1.3.4.7 which Selzy.com SPF record allows to send emails on its behalf.
4. If the sender’s IP address is on the list of “valid” IP addresses, the message goes to the “Inbox”. If not – it gets rejected or goes to SPAM.  

Every email passes through these steps. Graphically, the work of SPF filter looks as follows:

SPF syntax explained

Sender Policy Framework is a line in the TXT record of the domain. For example, it may looks like this:

To create an SPF record, qualifiers and mechanisms are used:

• Mechanisms describe who can send emails on behalf of the domain.
• Qualifiers are actions that determine what to do with the email after matching the mechanism.

Let’s look at the example above. V=spf1 is the version of SPF used.  +a +mx -all are tags to protect the domain from cheaters.

This record means that all servers listed in the mx and a records of DNS and those from IP 195.3.159.250 can send messages on behalf of the domain. In addition, you can receive messages from the servers listed in the gmail.com SPF-records. Emails from all other servers should be sent to spam without checking: ~all.

This is by no means the most complex SPF record. If necessary, it can hold even more parameters. 

Here’s a list of them:

How to add SPF record

Understand your return-path

The return-path header is a standard email protocol field that contains the address that the recipient’s email service should send bounces and auto-replies to. To see the return-path header for an email you’ve sent, you’ll need to view your message headers. The exact steps for doing so depend on what email provider or service you use.

In Gmail, for example, select a message in your inbox and then click the three dots icon. Then, click Show original to open the full message header.

The SPF check is directly related to the domain from the return-path header in the email. That is, the recipient email service looks for and checks the return-path address of your email in the list of allowed IP addresses. 

Make sure that the return-path header of outgoing emails from your domain contains the domain allowed in the SPF record.

Create your SPF record

Next we’ll look at creating an SPF record using the Selzy email service provider as an example. 

1. Go to Selzy settings. Click on your profile in the upper left corner of the screen and select “Settings” in the drop-down menu.

2. Go to the “Domain authentication” tab and click on the “Create” button.

3. Write your domain and click “Obtain settings”.

4. The settings will appear. You will then need to transfer these to the DNS zone of your hosting.

Update your DNS settings

For the next step, you will need access to edit the DNS records of the domain. 

1. Go to your DNS hosting control panel. If we take Dreamhost as an example, you need to open the DNS Settings page.

2. Create a TXT record by filling in the fields (their names may vary from provider to provider).

3. Wait for the changes to take effect. DNS servers need time to exchange information about the new DNS records. This can take up to 72 hours. If authentication is successful, your domain status will change to Enabled in your personal account on Selzy.

How to check the SPF record

To check if you have set it up correctly, use online tools to verify SPF or look up DNS records:

• DNSWatch
• MxToolbox
• SPF Record Checker
• SPF Syntax Validator

Let’s take MxToolbox as an example. In the search box, enter your domain. Click on the button so that a drop-down menu appears. Choose SPF Record LookUp.

In the output you either get a positive result with all records from the DNS zone, or the program will report that nothing is found.

You can also check if the SPF record is correct using a free syntax checker. Go to SPF Syntax Validator, insert the SPF record and press Enter.

If a green message appears after checking, the syntax is correct.

If it’s red, it’s a mistake. It is necessary to check if the SPF record is created correctly.

Final thoughts

1. SPF is a method of protecting email addresses from scammers and spammers. It’s a TXT record which consists of several commands. The TXT record is written and then placed in the DNS zone of the site.
2. SPF allows you to tell the brand or company from which servers emails can be considered as coming from you. If an email supposedly comes from a brand, but from an email address that was not specified beforehand, it will be treated as spam.
3. Using an SPF record can improve the security and deliverability of emails sent from your domain by preventing spoofing and phishing scams and protecting against being marked as spam. It also improves your reputation as a sender that prioritizes email security.
4. Use free services such as DNSWatch, MxToolbox, SPF Record Checker by DMARC Analyzer, SPF Syntax Validator to check SPF record correctness.