If you’re an email administrator or someone who sends a lot of emails, you may have heard of SPF records. SPF stands for Sender Policy Framework and it is an email authentication protocol used to detect and prevent email spoofing. In this article, we will explore what SPF records are, how they work, and why they are important.
What are SPF records?
SPF records are a DNS record that specifies which mail servers are authorized to send emails on behalf of a specific domain. It is a text record that is added to the DNS server of the domain. The SPF record contains a list of IP addresses or domain names that are allowed to send emails on behalf of the domain. When an email is received, the receiving server checks the SPF record of the sender’s domain to ensure that the email is coming from an authorized server.
For example, this is what the United States Postal Service’s SPF record looks like:
v=spf1 ip4:56.0.84.0/24 ip4:56.0.103.0/24 ip4:56.0.143.0/24 ip4:56.0.146.0/24 ip4:56.0.86.0/24 include:spf.protection.outlook.com -all
How do SPF records work?
When an email is sent, the email server adds a header to the email that contains the domain name of the sender. The receiving email server checks the SPF record of the sender’s domain to verify the authenticity of the email. If the email is sent from an authorized server, the SPF check will pass, and the email will be delivered. If the email is sent from an unauthorized server, the SPF check will fail, and the email will be rejected or marked as spam.
Why are SPF records important?
SPF records are important because they help prevent email spoofing. Email spoofing is when someone sends an email pretending to be someone else. This can be used for phishing attacks or to send spam emails. By implementing SPF records, domain owners can prevent unauthorized emails from being sent from their domain, protecting their brand and their customers.
How to create and configure an SPF record?
Creating an SPF record is a straightforward process. Here are the steps to create an SPF record:
Step 1: Determine which mail servers are authorized to send emails on behalf of your domain. This can include your own email server, your email service provider, or any other service that you use to send emails. For example, if you use an outside service to send mass mailers that appear to be coming from your company, you will want to allow this service to send on the behalf of your domain. Therefore, this company’s sending IP address or domain would need to be included in your SPF record, otherwise, many of the messages will get blocked as spam by the recipients mail servers or spam filters.
Step 2: Create an SPF record. The SPF record is a TXT record that is added to your DNS server or host. Here is an example of an SPF record:
v=spf1 include:_spf.google.com ~all
or
v=spf1 include:_spf.nyc.gov include:spf.protection.outlook.com mx -all
If you are using Microsoft 365 for mail hosting, your basic SPF record would look like this:
v=spf1 include:spf.protection.outlook.com -all
You will want to create a TXT record in your domain’s DNS settings with the following information:
v=spf1 [IP address/es] [include:domain.com] ~all
The “v=spf1” indicates that this is an SPF record. Replace “[IP address/es]” with the IP addresses that are authorized to send emails on behalf of your domain. If you use a third-party service to send emails, you may also need to include their domain using the “include” mechanism, like so: “[include:domain.com]”.
The following options exist for the “all” tag:
+all: allows any server to send email for your domain (not recommended)
-all: blocks any server that is not authorized in your SPF record from sending email for your domain
~all: soft fail – it doesn’t block any server that is not authorized in your SPF record, but it suggests to the recipient’s email server that it should be treated as spam
You should use the “-all” tag at the end of your SPF record. This tells receiving servers to reject emails that fail the SPF check, rather than just marking them as spam. You should also limit the use of the “soft fail” (~all) tag. This tag indicates that emails from unauthorized servers should be marked as spam, rather than rejected. However, some receiving servers may ignore this tag and still deliver the email to the inbox.
There are some best practices you should follow when it comes to SPF records:
- Use the “include” mechanism instead of listing all IP addresses individually. This makes it easier to update your SPF record if your email service provider changes their IP address.
- Use only one SPF record per domain. Having multiple SPF records can cause conflicts and lead to SPF failures.
- Test your SPF record regularly to ensure that it is working correctly. Use online tools like the SPF Record Testing Tool provided by MXToolbox to check your SPF record.
- Monitor your email deliverability and SPF failures. If you notice a high rate of SPF failures, it may be a sign that your SPF record needs to be updated or revised.
In conclusion, SPF records are an essential tool for preventing email spoofing and protecting your brand and customers. By creating and configuring an SPF record, you can ensure that only authorized servers can send emails on behalf of your domain, reducing the risk of phishing attacks and spam. It’s a simple process that can have a significant impact on your email security.