Key Takeaways: What is an SPF Record?
An SPF record is a security mechanism that legitimates a mail server to send emails on behalf of a certain domain.
How it works: A mail server receiving a new email can look up the SPF record that is published in the domain’s DNS settings of the sender. Therefore, the receiving sever can verify if the sender is allowed to send emails on behalf of the stated domain.
The main advantages of an SPF record are:
- increased email deliverability (emails are not marked as spam)
- reduced risk of spoofing or phishing attacks for the sending domain
A Detailed Look: What is an SPF Record?
An SPF (Sender Policy Framework) record is a security mechanism that is used to verify whether a mail server is allowed to send emails on behalf of the given domain.
Before a new email shows up in your mailbox, your mail server checks if the IP address of the server sending the email is stated in the domain’s SPF record. If yes, everything is fine and you’ve got mail. If not, the email is rejected or moved to the spam folder.
➡️ Therefore, through the SPF record, the sender’s legitimacy is confirmed and it is much more unlikely that emails will be marked as spam. Furthermore, it is much harder for cyber criminals to pretend to be sending emails from your domain, reducing the risk of falling victim to spoofing and phishing attacks.
Is an SPF record mandatory?
No, an SPF record is not mandatory. However, without an SPF record, it is extremely likely that sent emails are rejected from the receiving email server.
This means, nowadays, you won’t be able to send emails from a custom domain without an SPF record in most cases. This especially applies for large providers like Gmail or Yahoo!. Therefore, it is strongly recommended to add an SPF record to your domains DNS settings.
When should I use an SPF record?
An SPF record is only necessary if you wish to send emails using a custom domain name.
Example: If you use a Gmail address (ending with @gmail.com), you don’t need to worry about SPF records, as you’re not the owner of the domain gmail.com.
👍 Rule of thumb: If you use a custom domain name for your email address AND are the owner / manager of this email address (e.g. blog@mailjerry.com, mailjerry.com being the custom domain), you need to add an SPF record to your domain’s DNS settings.
What are the advantages of an SPF record?
By adding an SPF record to your domain,
- email deliverability is highly improved,
- your emails are less likely being marked as spam,
- and your email address is protected against attacks (spoofing or phishing).
- In addition, an SPF record can easily be configured by simply adding a TXT record to the domain’s DNS settings.
How to set up an SPF Record for your Email Address:
It’s very easy to create a SPF record for your domain / email address. Here’s how it works:
Step 01: Create the SPF record
1. First, look up the IP address of your mail server.
Here’s a tutorial on how to easily find your mail servers IP address: Find your Server IP.
2. In the template below, replace YOURIP with your mail server’s IP address and yourdomain.tdl with the name of your domain:
Template:
v=spf1 ip4:YOURIP include:yourdomain.tdl ~all
Example:
v=spf1 ip4:78.46.5.205 include:mailjerry.com ~allStep 02: Add the SPF record to your DNS settings
1. Now log in to your domain management panel (= the place where you manage / purchased your domain)
2. Open the DNS settings and add a new TXT record:
Type: | TXT |
Host: | @ |
Value: | your SPF record (e.g. v=spf1 ip4:78.46.5.205 include:mailjerry.com ~all) |
TTL: | 300 (or lowest possible value) |
3. Save the DNS record and wait a few minutes for your SPF record to propagate.
🎉 That’s it! You successfully added an SPF record to your domain and increased the security of your email address and domain!
Tipp: Look up the SPF record in your providers settings
Many email and web hosting companies provide the SPF record in the settings or admin panel of the user’s account.
➡️ Therefore, if you do not want to create the SPF record yourself, it’s always a good idea to log in to your customer portal (the place where you usually manage or add new email addresses) and look for a section called “settings”, “email system”, “email delivery” or something similar.
If you find your SPF record there, all that’s left to do is add it to your DNS settings (see step 02).
How Does an SPF Record Work?
Simply put, an SPF record associates your mail server with your domain and authorises your mail server to send emails using your domain.
This is how an SPF record works:
1. When receiving an email, the receiving mail server extracts the domain name from the sender’s email address.
2. For the given domain name, the mail server looks up the domain’s DNS settings, specifically the SPF record published in the DNS settings.
3. Now, the mail server compares the IP address of the server sending the email with the IP address published in the SPF record.
4. If both IP addresses match, the email is accepted and moved to the recipient’s inbox. If not, the email is either rejected or moved to the spam folder. This depends on the instruction included in the SPF record (“hard SPF fail” or “soft SPF fail”).
FAQ:
Frequent Questions about SPF Records
Do I have to use an SPF record?
No, but it’s highly advisable. There are, in fact, many email providers that automatically reject emails coming from a domain without a valid SPF (and DKIM and DMARC) record, e.g. Gmail. Furthermore, adding an SPF record makes it much harder for criminals to misuse your domain and email addresses!
How can I check my SPF record?
To check which SPF record is set for your domain, it’s most convenient to use an SPF checker like this one from MxToolbox.
Can I have multiple SPF records for my domain?
Yes, you can have multiple SPF records for your domain, but it’s not advisable as it can harm the reliability of your email system. If you wish to add a domain to an existing SPF record, you can do so by merging both domains into one SPF.
How can I add a domain to an existing SPF record?
To add another domain to an existing SPF record, simply add the domain to the existing one, separated by a space.
E.g.: v=spf1 include:_spf.google.com include:spf.mailjerry.com -all
Should I use ~all or -all at the end of the SPF record?
~all signals an SPF soft fail. This means, that emails are marked as suspicious (e.g. moved to the SPAM folder), but are not immediately rejected.
–all signals an SPF hard fail: A hard fail tells the mail server to reject not matching emails so they aren’t delivered at all.
Should I add an SPF record to a domain I’m not using to send emails?
Yes! If you own multiple domains but only use one (or a few) to send emails, you should also add an SPF record for domains that are not used for email communication. The SPF record protects the inactive domains and makes it hard for cyber criminals to try to use these domains for email spoofing.
How does the SPF for a domain that’s not used to send emails look like?
For domains that are in your possession, but are not used to send emails, add the following SPF record:
v=spf1 –all
Is SPF better than DKIM?
No, SPF and DKIM are both security mechanisms that help to make your email system more secure. There isn’t one that is better, as they are rather complementary security measures that work hand in hand.
Since every security mechanism provides certain advantages (and disadvantages), it’s best to use a combination of multiple email security mechanisms to create a solid and resilient email infrastructure (namely: DKIM, SPF and DMARC).
Is SPF a DNS record?
Yes, an SPF record is a so called “TXT record” that is stored in the DNS settings of your domain’s admin panel. The TXT record stores the list of IP addresses (and domains via the “include” tag”) that are allowed to send email using the given domain.
I use an email address with Microsoft Online Email Routing (e.g. mailjerry.onmicrosoft.com). Do I need an DKIM DNS record?
No. In this case, Microsoft creates and manages all keys automatically for you.
Do I have to set up DKIM even if I don’t use my custom domain to send or receive emails?
No. In fact, it’s recommended not to set up a DKIM record for domains that are not associated with an email address. The lack of a DKIM record for these domains prevents the domain from being abused for DKIM forgery.