SPF records enlist all the IP addresses allowed to be official senders of your business domain and give instructions to recipients’ networks about how to deal with emails failing SPF checks. It’s a DNS TXT record that is added to the DNS for public retrieval. An SPF record example will help you understand its syntax, which will further help you create one for all your email-sending domains.
The major components of an SPF DNS record are; Mechanisms, Modifiers, and Qualifiers. Also, remember that there’s a limit of 255 characters in a standard sender policy framework record.
SPF Record Example
SPF is crucial in email authentication, phishing and spoofing prevention, email deliverability rate, and other factors. Let’s consider an SPF record example and understand more about it.
TXT @ “v=spf1 a include: spf.google.com ~all”
Here’s what each of the elements means-
It indicates that the SPF record is stored in the DNS in text format. TXT is the only accepted format for SPF records; SPF-type DNS is consider
ed obsolete now.
@It’s a placeholder that represents the current domain.
It tells the version of the SPF used. As of now, there’s only one SPF version (v), and that’s why all SPF records begin with v=spf1 only.
This represents that system in ‘domain A’ is allowed to send emails on behalf of the company’s domain.
You use this tag to add IP addresses of third-party vendors you allow to send emails on behalf of your company. This could be an outsourced marketing or PR agency.
It instructs the recipient’s mailbox to flag suspicious emails and mark them as spam.
Image sourced from www.cyberhoot.com
Elements of an SPF Record
There are many components that can go into an SPF record. Here we have listed out the most commonly used ones:
It’s used at the end of all SPF DNS records and matches local and remote IPs.
ip4 tells that the SPF record belongs to an IPv4 address or a range of IPv4 addresses. You have to add a prefix, and /32 is the default prefix value.
ip6 tells that the SPF record belongs to an IPv6 address or a range of IPv6 addresses. You have to add a prefix, and /128 is the default prefix value.
Denotes all IPs in the ‘DNS A’ record.
It indicates all ‘A records’ for individual “MX” records on the host’s side.
The ptr mechanism shows all ‘A records’ for individual “ptr” records. Its use is discouraged as it’s a slow and unreliable mechanism.
It tells about the systems allowed to send emails on behalf of the company using their domain.
+include tag helps add third-party sender’s IP addresses to send emails on your behalf.
The above elements are paired with at least one of the following qualifiers’ links.
|Action Taken by Receiving Mail Servers with a Match
|This SPF Qualifier indicates that the email has passed the verification check (which means the sender is genuine) and it will land in the recipient’s primary inbox. This is the default action taken when a record lacks a Qualifier.
|It tells that the email failed the SPF verification process and won’t land in the recipient’s primary inbox. In this case, a softfail or hardfail takes place. In the case of a Softfail, the failed email lands in the recipient’s spam folder.
|The recipient’s mail server accepts the email message, and it lands in the spam folder.
|In this case, the email neither passes nor fails authentication checks since the SPF record doesn’t explicitly state whether the sender is authorized to send messages. ?all represents that there wasn’t a match when checked against your permitted IP address and domain.
An error-free and correctly created SPF record, when combined with DMARC and DKIM, helps filter genuine and fraudulent emails sent from your domain. It also apprises you of illegitimate activities performed using your email-sending domain.