Ensuring effective email deliverability and bolstering security are two critical priorities for businesses today. One major factor in both is the implementation of Sender Policy Framework (SPF) records, which can help reduce spam, phishing, and spoofing while ensuring legitimate emails are more reliably delivered. This article explores common SPF record examples to help you understand how to set up and customize SPF records to protect your domain.
Sender Policy Framework (SPF) is a kind of DNS record that identifies the mail servers permitted to send emails for a specific domain. Through SPF, domain administrators can enumerate all IP addresses, domains, or subdomains that are allowed to dispatch emails on their behalf. When an email server gets a message, it consults the SPF record to ensure that the sender has permission to utilize that domain. This mechanism helps block unauthorized senders or spoofers from masquerading as your domain and improves the chances of your emails being delivered by verifying their legitimacy.
When a recipient’s mail server receives an email, it uses the SPF record to verify whether the email originated from an authorized sender. Here’s a step-by-step breakdown:
SPF records act as a safeguard against email spoofing, phishing, and various other email-related threats. Additionally, they enhance the chances of legitimate emails reaching their destination without being flagged as spam. When an SPF record is established, recipient servers are more inclined to recognize and trust messages originating from your domain.
To create an SPF record, you need to define its syntax, which contains several elements. Here’s a quick overview:
Let’s move on to some common examples of SPF records.
A basic SPF record allows only specific IP addresses to send emails on behalf of a domain. For instance:
v=spf1 ip4:203.0.113.1 -all
In this example:
This basic SPF record is useful for small businesses or personal domains using a single mail server.
If you use more than one mail server to send emails, you can include multiple IP addresses in your SPF record:
v=spf1 ip4:203.0.113.1 ip4:203.0.113.2 -all
This example authorizes two IP addresses. By adding multiple IPs, you can ensure all your mail servers are permitted to send emails, reducing the risk of legitimate emails being rejected.
When using third-party services like Gmail or Mailchimp to send emails, you need to "include" those services in your SPF record:
v=spf1 include:_spf.google.com -all
In this example:
The "include" mechanism is essential for businesses that rely on external email services.
Instead of a strict fail (-all), you might use a "soft fail" (~all) if you want to allow emails from unknown sources but mark them as suspicious:
v=spf1 ip4:203.0.113.1 ~all
In this context, the term all indicates that emails originating from unauthorized IP addresses are flagged as possibly fraudulent rather than being completely blocked. This approach is beneficial for testing purposes or in situations where there is doubt regarding the legitimacy of all approved sending sources. Click here to see additional information.