DNS SPF Record
The DNS SPF record is used in mail domain reputation.
Last updated
The DNS SPF record is used in mail domain reputation.
Last updated
An SPF record is a TXT record that is part of a domain’s DNS (Domain Name Service). An SPF record lists all authorized hostnames / IP addresses that are permitted to send email on behalf of your domain.
The DNS SPF record is used in mail domain reputation. The Sender Policy Framework (SPF) allows a domain owner to specify in a DNS record the list of servers which can be trusted for sending email for the domain. The main objective is to reduce the amount of SPAM and phishing sent from a domain on behalf of the official servers.
The content of the SPF information is stored in a DNS TXT record with a prefix v=spf1 associated with a domain record. Multiple information can be provided and a useful include function is available for automatically inserting the SPF information from a provider.
Each mail server receiving an email from a server (eg MTA – mail transfer agent) can check whether the origin can be trusted and take a routing or delivering decision accordingly. By requesting the DNS SPF record associated to the sender domain, it can obtain the list of servers that are authorized to send email, either their IP address (field ip4 or ip6), their name (field a) or their mail exchanger (field mx).
Curious about this? Check any message in your inbox and take a look at the header (see source option), you may find a Received-SPF: header if this email has passed an SPF validation.
To protect your brand against spoofing and phishing attacks you have to authenticate your email.
The Sender Policy Framework (SPF) gives the ability to authenticate your email and to specify which IP addresses are allowed to send email on behalf of the specific domain.
In order to successfully implement SPF you first need to identify which mail servers are used to send email for your domain. These mail servers can be any sending organization, you should think of your Email Service Provider, Office mail server and any other third-party mail servers that may be used to send email for you.
Now you’ve got a clear overview of all sending domains, you have to create an SPF record for every domain, even if the domain doesn’t actively send email (more information about: How to secure inactive/parked domains).
Start with the SPF version, this part defines the record as SPF. An SPF record should always start with the version number v=spf1 (version 1) this tag defines the record as SPF. There used to be a second version of SPF (called: SenderID), but this was discontinued.
After including the v=spf1 SPF version tag you should follow with all IP addresses that are authorized to send email on your behalf. For example: v=spf1 ip4:34.243.61.237 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e
Next, you can include an include tag for every third-party organization that is used to send email on your behalf e.g. include:thirdpartydomain.com. This tag indicates that this particular third party is authorized to send email on behalf of your domain. You need to consult with the third party to learn which domain to use as a value for the ‘include’ statement.
Once you have implemented all IP addresses and include tags you should end your record with an ~all or -all tag. The all tag is an important part of the SPF record as it indicates what policy should be applied when ISPs detect a server which is not listed in your SPF record. If an unauthorized server does send email on behalf of your domain, action is taken according to the policy that has been published (e.g. reject the email or mark it as spam).What is the difference between these tags? You need to instruct how strict servers need to treat the emails. The ~all tag indicates a soft fail and the -all indicates a hardfail. The all tag has the following basic markers: -all Fail – servers that aren’t listed in the SPF record are not authorized to send email (not compliant emails will be rejected). ~all Softfail – If the email is received from a server that isn’t listed, the email will be marked as a soft fail (emails will be accepted but marked). +all We strongly recommend not to use this option, this tag allows any server to send email from your domain.
There are many available SPF tags, more information can be found at the SPF parts explanation page.
• After defining your SPF record your record might look something like this:
For domains that aren’t sending email, we recommend you to publish the following record TXT: v=spf1 -all
Indicate that a domain does not send any mail by setting up an empty SPF record with a hard fail policy: