The Importance of SPF Record and How To Set It

Understanding the SPF record

Have you ever been scammed by someone using a fake email address that looks real? This is called “spoofing”. To prevent this from happening to your domain, create an SPF record. In this article, we will tell you what SPF is, how it works, and why it’s important to have one set up for your domain. The best part? We’ll show you how easy it is to configure an SPF record.

What is SPF

SPF, or Sender Policy Framework, is a method of email authentication that helps to prevent email spoofing. In email spoofing, someone pretends to be the sender of an email by forging the sender’s email address. 

Using SPF, the true owner of an email domain can specify which servers and IP addresses are allowed to send emails from that domain. This information is published in the domain’s DNS records. When an email is received, the receiving server checks the SPF record to verify that the email is indeed coming from an authorized server for that domain. If not, it may mark the email as spam or reject it. 

It is important to note that SPF only authenticates the sending server and does not necessarily verify the sender’s identity. For more thorough email authentication, it is recommended to combine SPF with DKIM, DMARC, and BIMI which can result in major improvements to your email security.

pic

Why use SPF record for your emails

SPF records are fundamental to email security because they guarantee that your domain is only sending emails from approved servers. 

Let’s explore the benefits of having a properly configured SPF email policy:

Security from email spoofing

An SPF record assists in preventing spoofing and phishing scams by affirming that the IP address sending the email is linked to the domain.

Improves deliverability

By securing your email server with SPF, you make it more difficult for attackers to use your domains to send spam. This helps protect your domain from ending up on global blacklists and DNS blacklists, and as a result, generally improves your email deliverability.

Improves domain reputation

By establishing SPF email policies, you are demonstrating to email services and blacklist sites. This decreases the likelihood of your emails being incorrectly marked as spam and improves your domain reputation with firewalls and other cybersecurity databases.

How it actually works

Scammers often attempt to masquerade as another company by altering the address in the FROM field. However, this scam can be easily thwarted if an SPF record is set up. With an SPF record in place, any email coming from a fraudster posing as someone else will be flagged as invalid by recipient mail servers. 

The SPF record contains the main criteria for verification: the sender’s domain and IP address. By comparing these two criteria of the sender in the SPF record with those of the incoming message, the recipient server makes a decision about the security of the message.

In short, the SPF algorithm works in several stages. For example, take sending a message from test@selzy.com to test@anydomain.com using the Selzy email service provider:

  1. The Selzy server with (for example) 1.3.4.7 IP address sends an email from test@selzy.com to test@anydomain.com.
  2. Anydomain.com email server checks the DNS TXT type record for Selzy.com domain and detects the sending domain IP.
  3. Anydomain.com email server looks for the IP address 1.3.4.7 which Selzy.com SPF record allows to send emails on its behalf.
  4. If the sender’s IP address is on the list of “valid” IP addresses, the message goes to the “Inbox”. If not – it gets rejected or goes to SPAM.  

Every email passes through these steps. Graphically, the work of SPF filter looks as follows:

SPF filtering in action

The list of IP addresses specified in the SPF record plays a basic role in domain verification. It is the list that verifies the honest intentions of the sender. Therefore, try to include all possible IPs that you allow to send messages (including through email service providers).

SPF syntax explained

Sender Policy Framework is a line in the TXT record of the domain. For example, it may looks like this:

v=spf1 +a +mx +ip4:195.3.159.250 include:gmail.com ~all

To create an SPF record, qualifiers and mechanisms are used:

  • Mechanisms describe who can send emails on behalf of the domain.
  • Qualifiers are actions that determine what to do with the email after matching the mechanism.

Let’s look at the example above. V=spf1 is the version of SPF used.  +a +mx -all are tags to protect the domain from cheaters.

This record means that all servers listed in the mx and a records of DNS and those from IP 195.3.159.250 can send messages on behalf of the domain. In addition, you can receive messages from the servers listed in the gmail.com SPF-records. Emails from all other servers should be sent to spam without checking: ~all.

This is by no means the most complex SPF record. If necessary, it can hold even more parameters. 

Here’s a list of them:

Qualifiers and mechanisms Meaning
+ Accept the message. For example: +all – accept all emails
Reject the message. For example: -all – reject all emails
~ Accept the email, but mark it as SPAM. ~all – send all emails to SPAM
? Neutral attitude
mx All addresses specified in the MX records of the domain
ip4 Specify a particular IP address. For example: ip4:195.3.156.134 — accept emails from IP 195.3.156.134
a Specify the action to be taken when receiving mails from a particular domain. For example: +a — accept all mails that are sent from IP that coincides with the IP address in the record of the sending domain
include Allow to receive mails from servers allowed by SPF records of the domain. For example: include:gmail.com — allows to receive mails from IPs which are specified in SPF records of the gmail.com domain
all All other IPs not listed in the SPF record
exists Check if the domain name is valid
redirect Specify to check the SPF of the specified domain instead of the current domain
exp Specify an error message to be sent to the sender. For example:

example.org. IN TXT “v=spf1 +a +mx -all exp=spf.example.org”

spf.example.org. IN TXT “You host not allowed email to me from this domain”

The main function of SPF is to prevent spoofing attempts and other attacks on the sender’s reputation. Its length and complexity depends on the desired level of protection and skills of the specialist. You can write it yourself. Below we will tell you how to do it.

How to add SPF record

Understand your return-path

The return-path header is a standard email protocol field that contains the address that the recipient’s email service should send bounces and auto-replies to. To see the return-path header for an email you’ve sent, you’ll need to view your message headers. The exact steps for doing so depend on what email provider or service you use.

In Gmail, for example, select a message in your inbox and then click the three dots icon. Then, click Show original to open the full message header.

The SPF check is directly related to the domain from the return-path header in the email. That is, the recipient email service looks for and checks the return-path address of your email in the list of allowed IP addresses. 

Make sure that the return-path header of outgoing emails from your domain contains the domain allowed in the SPF record.

Return-Path header in the email

Create your SPF record

Next we’ll look at creating an SPF record using the Selzy email service provider as an example. 

  1. Go to Selzy settings. Click on your profile in the upper left corner of the screen and select “Settings” in the drop-down menu.
Selzy ESP dashboard
  1. Go to the “Domain authentication” tab and click on the “Create” button.
Domain authentication tab in Selzy
  1. Write your domain and click “Obtain settings”.
DKIM and SPF settings in Selzy
  1. The settings will appear. You will then need to transfer these to the DNS zone of your hosting.
Creation of SPF record in Selzy

Update your DNS settings

For the next step, you will need access to edit the DNS records of the domain. 

  1. Go to your DNS hosting control panel. If we take Dreamhost as an example, you need to open the DNS Settings page.
Dreamhost control panel
Source: Dreamhost
  1. Create a TXT record by filling in the fields (their names may vary from provider to provider).
Creation a TXT record in DNS
Source: Dreamhost
  1. Wait for the changes to take effect. DNS servers need time to exchange information about the new DNS records. This can take up to 72 hours. If authentication is successful, your domain status will change to Enabled in your personal account on Selzy.
The domain status in Selzy with a set-up authentication

How to check the SPF record

To check if you have set it up correctly, use online tools to verify SPF or look up DNS records:

Let’s take MxToolbox as an example. In the search box, enter your domain. Click on the button so that a drop-down menu appears. Choose SPF Record LookUp.

Checking SPF record in MxToolbox

In the output you either get a positive result with all records from the DNS zone, or the program will report that nothing is found.

Check results in MxToolbox

You can also check if the SPF record is correct using a free syntax checker. Go to SPF Syntax Validator, insert the SPF record and press Enter.

SPF Syntax Validator check process

If a green message appears after checking, the syntax is correct.

pic

If it’s red, it’s a mistake. It is necessary to check if the SPF record is created correctly.

pic

Final thoughts

  1. SPF is a method of protecting email addresses from scammers and spammers. It’s a TXT record which consists of several commands. The TXT record is written and then placed in the DNS zone of the site.
  2. SPF allows you to tell the brand or company from which servers emails can be considered as coming from you. If an email supposedly comes from a brand, but from an email address that was not specified beforehand, it will be treated as spam.
  3. Using an SPF record can improve the security and deliverability of emails sent from your domain by preventing spoofing and phishing scams and protecting against being marked as spam. It also improves your reputation as a sender that prioritizes email security.
  4. Use free services such as DNSWatch, MxToolbox, SPF Record Checker by DMARC Analyzer, SPF Syntax Validator to check SPF record correctness.

What else do you do to protect your domain and prevent spoofing?

Answer in comments
unisender

Comments