Understanding Sender Policy Framework (SPF)

SPF: What is it? Why it is important?

The SPF (Sender Policy Framework) in this article is related to email flow, not sunscreen … although mistakes with either SPF can cause you to get seriously burned.

DNS SPF records are essential to email flow from your business. SPF records are email recipient’s servers best way of confirming the email they received is really from the domain it says it is from. While not every server rejects email based on SPF records, more and more do every day to reduce the massive amount of spam. If you want better assuranc your email is not going to spam or being dropped all together by receiving email servers, I would highly recommend you check your SPF records.

Many companies have multiple sending sources, for example Office 365 and also a third-party media company sending client communications on your company’s behalf, or an email filtering service.

SPF records are external DNS text records for each domain. There should be only one SPF record per domain. Receiving servers need SPF to sort through whom is legit.

Each DNS vendor management console is a little different, but follow along the below example from domain registrar Network Solutions of an SPF record:

spf record

So we will start to break down the formatting of the SPF example above. If I were using only Office 365, it would be:

v=spf1 include:spf.protection.outlook.com -all

Since it is using MXLogic email filtering service as well, it also has:

include:mxlogic.net

For each legitimate sender, add an additional “include:” in the SPF record. Again, you should only have one SPF record and it is limited to 256 characters, so plan accordingly.

If you have a static IP server sending, add its “ip4” record without an additional include statement. For example:

Ip4:1.2.3.4

You can have ranges of IP addresses, but I would recommend you keep them as small as possible

Ip4:1.2.3.4/29

Combining all of those for example would be:

v=spf1 include:spf.protection.outlook.com include:mxlogic.net ip4:1.2.3.4/29 -all

If you see “-a” or “-ptr” in the SPF records, those are old SPF formats and typically not necessary. I would recommend removing them.

The next question is what does that “-all” mean?

  • “-all” means these are the ONLY servers authenticated to send for my domain hard fail if not a match.
  • “~all” means these are the main servers authenticated to send for my domain soft fail if not a match.
  • “+all” means these plus ANYONE is authenticated to send for my domain. We don’t recommend this setting be used.

There are many other settings that can be used, however I am not going to go into the history of SPF or more advanced settings. The reason being is ideally you want these records brief and to the point so email servers can quickly and easily resolve them. Don’t overcomplicate SPF.

To check if your SPF records exist and are configured correctly. Use this tool to check where you simply put in your domain name and click “SPF Record Lookup”.

If you need any assistance setting up your SPF records, feel free to reach out to us by sending us an email or giving us a call at 502-240-0404!