Getting Your SPF Records Right

SPF, DKIM and DMARC are email validation protocols used to help control spam and minimize email forgeries. They work by verifying that senders are authorized to send messages on behalf of a domain. Having some or all of these technologies is good for your email deliverability and domain reputation.

SPF, short for Sender Policy Framework, identifies what IP addresses and mail servers are allowed to send email for a domain.  Having a proper SPF record in your DNS can protect the reputation of your domain and control message spoofing using your domain.

Not having a valid SPF record or having an incorrect SPF record can be detrimental and may mean your messages are not hitting inboxes as frequently as they should.

Setting up an SPF record is relatively easy. All you need are some basic settings from your email provider and the ability to edit or create a TXT record in your domain’s DNS manager.

Chances are good that you already have an SPF record in place, possibly a default entry or one that was set up for another email service provider.  Make sure your SPF record is current and includes your email hosting provider and any other service providers you use to send emails for your domain.

In the example below, the SPF record references four email providers validated to send emails for a domain:

v=spf1 mx include:emailsrvr.com include:spf.greatmail.com include:mailgun.org -all

In this entry, the servers authorized to send messages include the domain’s MX or incoming mail servers, emailsrvr.com, spf.greatmail.com and mailgun.org. The -all ending says to fail or reject messages that do not originate from one of these sources.

A common problem we see especially when switching from one provider to another is out of date SPF records. Not having your current email host in your SPF record may be more detrimental than not having one at all.

Not sure if you have an SPF record? Using a tool like MXToolBox to look up your domain’s SPF record can be a good place to get started.  Find out if you have an SPF record.

After you set up your SPF record, test by sending messages to a provider like Gmail and see if your messages pass their SPF validation checks. Gmail shows the results of SPF checking in the message source.  You can access this for a message by clicking the vertical 3 dots More menu and selecting Show Original.  A header like the one below shows a passing SPF:

Received-SPF: pass (google.com: domain of yes@example.com designates 200.10.201.11 as permitted sender) client-ip=200.10.201.11;

As mentioned earlier, your email host and any other providers you use to send messages will provide you with the details and syntax you need to include in setting up an SPF record.