SPF Record Settings

An SPF record, short for Sender Policy Framework record, is a specialized DNS record configured within the domain name system to help prevent unauthorized use of your domain in email communications. Fundamentally, an SPF TXT record is a DNS TXT record type that lists all authorized mail sources permitted to send emails on behalf of your domain. This makes it an essential part of your email authentication infrastructure, enabling email receivers to verify whether an incoming message’s mail from address aligns with the authorized sending IP addresses or domains specified by the domain owner.

When you set up SPF settings, you publish a DNS record at your DNS hosting service or domain registrar that defines which mail servers—identified by their IP4 or IP6 addresses, or domain names—are authorized to send emails for your custom domain or subdomain.

For example, an organization like contoso.com might create an SPF record allowing mail servers such as spf.protection.outlook.com (used by Microsoft 365) and their own on-premises Exchange Server to send mail for their domain. During SMTP transmission, receiving mail servers perform SPF evaluation by querying the domain’s DNS records to validate the authenticity of the mail source.

The Role of SPF in Email Authentication

SPF is one of several email authentication protocols designed to strengthen trust in electronic mail by authorizing valid mail sources explicitly. In conjunction with DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), the SPF record fortifies your email protection strategy against spoofing and phishing attacks.

During email delivery, the recipient’s server queries the domain name system for the SPF TXT record associated with the sender’s domain (extracted from the mail from address). The SPF evaluation process involves checking whether the originating mail source IP address is listed as authorized within the SPF TXT record. Depending on the SPF settings, the receiving server applies an enforcement rule—commonly a hard fail, soft fail, or neutral SPF result—to determine how to handle the message. For instance, a hard fail indicates unequivocal rejection due to invalid mail source authorization.

In Microsoft 365 environments, SPF plays a vital role in controlling mail flow to reduce business email compromise risks. Microsoft Defender for Office 365 and Exchange Server hybrid configurations rely heavily on properly configured SPF records, maintained through DNS hosting services linked to domain registrars, to validate mail source IP addresses and prevent spoofed emails from reaching the email inbox or circumventing spam filters.

Common Email Threats: Spoofing and Phishing Explained

Email spoofing is a fraudulent technique where attackers forge the mail from address in SMTP transmission to impersonate a trusted domain, often for malicious objectives such as phishing attacks or business email compromise. Spoofing harms the email domain reputation and undermines user confidence by proliferating spam, malware, and deceptive messages.

email protection

Phishing attacks leverage spoofing by crafting believable emails that trick recipients into divulging sensitive information or executing harmful actions. For domains with no SPF settings or improperly configured SPF TXT records, email spoof protection remains minimal, making them vulnerable targets. Spoofed emails may evade spam detection and land directly in the recipient’s email inbox, leading to data breaches or financial damage.

Parked domains and domains registered but unused without SPF record creation are frequent exploit targets since they lack mail source control. Bulk email services or bulk email service providers also play a role in managing authorized mail sources but require precise SPF record management to avoid DNS lookup errors and SPF failure events.

How SPF Helps Prevent Domain Spoofing

SPF’s primary function is to perform email source validation during the SMTP transmission phase by specifying valid mail servers authorized to send on behalf of your domain. The published SPF TXT record acts as a definitive source for mail source identification, enabling recipient mail servers to compare the originating IP address against the authorized IP address ranges (commonly expressed in CIDR notation).

When an inbound email claims to be from contoso.com, the receiving mail server initiates DNS lookups to retrieve the SPF record placed by the domain owner in the domain name system. Utilizing automated SPF record parsers, the server confirms if the mail source IP matches the included mechanisms—such as `ip4`, `ip6`, or `include` statements that reference external SPF records like those for Microsoft Online Email Routing Address collections (e.g., spf.protection.outlook.com for Microsoft 365 or spf.protection.office365.us for Government clouds).

If the mail server IP passes the SPF check, the message is allowed through standard mail flow processes to the user’s email inbox or filtered accordingly. Conversely, a failure (hard fail or soft fail) can cause the message to be quarantined, routed to the Junk Email folder, or rejected outright—potentially generating an NDR bounce message to the sender.

By implementing SPF settings accurately, domain owners exercise mail source control and mail source enumeration, significantly reducing the chances of email spoof protection bypass. This is especially critical in environments using Exchange Server hybrid deployments or on-premises email servers, where SPF record validation complements other security layers.

Anatomy of an SPF Record: Syntax and Components

The SPF TXT record syntax is defined in RFC 7208 and consists of a series of directives and mechanisms that precisely describe valid email sources. A typical SPF record begins with the version identifier `v=spf1` followed by mechanisms specifying authorized mail server IP addresses or domain aliases and concluding with an enforcement qualifier or policy.

Key components of an SPF record:

  • Version: Always starts with `v=spf1` to indicate SPF version 1.
  • Mechanisms: Define the authorized mail sources. Common mechanisms include:
  • `ip4`: Specifies authorized IPv4 addresses or IP address ranges (e.g., `ip4:192.0.2.0/24`).
  • `ip6`: Specifies authorized IPv6 addresses or ranges (e.g., `ip6:2001:db8::/32`).
  • `include`: References another domain’s SPF record (useful for bulk email services or Microsoft 365 domains like `include:spf.protection.outlook.com`).
  • `a`: Authorizes the IP addresses of the domain’s A or AAAA DNS records.
  • `mx`: Authorizes the IP addresses of the domain’s mail servers (MX records).
  • `ptr`: Less commonly used due to DNS lookup complexity, authorizes hosts matching reverse DNS.
  • `all`: Matches all IP addresses (typically used with a qualifier for default policy).
  • Qualifiers: Each mechanism can be prefixed with a qualifier to specify the enforcement rule.

An example SPF TXT record for contoso.com integrating Microsoft 365 mail sources and its on-premises server might be:

v=spf1 ip4:192.168.0.0/24 include:spf.protection.outlook.com -all

Here, the IP range `192.168.0.0/24` identifies valid internal mail server IPs, while the `include` mechanism authorizes Microsoft 365 mail servers to send through their Online Email Routing Address. The `-all` enforcement rule indicates a hard fail for all other sources not listed.

Email spoofing

Managing SPF record nesting and include statements requires attention to avoid exceeding the DNS query limit (usually 10 DNS lookups per SPF evaluation). Domain administrators should also monitor TTL settings for the SPF record to balance DNS caching and timely updates.

Using PowerShell cmdlets and SPF record parser tools can assist in SPF record creation, validation, and troubleshooting common issues like DNS lookup errors or DNS timeout events that lead to SPF failures or permanent errors.

By mastering the syntax and components of the SPF TXT record, organizations can strengthen their email domain reputation and build a robust email source authorization framework integral to their email security and email protection strategy.

Different SPF Qualifiers and Their Meanings

Within an SPF record, SPF qualifiers play a crucial role in defining the enforcement rule for the domain’s email source validation policy. These qualifiers determine the action mail servers should take when a particular mail from address fails or passes SPF evaluation during SMTP transmission. As specified in RFC 7208, the four primary SPF qualifiers are:

  • “+” (Pass): This is the default qualifier and often omitted in the SPF TXT record. It indicates that the mail source IP is authorized to send emails on behalf of the domain.
  • “-” (Fail/Hard fail): When this enforcement rule is set, mail sources that do not match the authorized IP address range or include mechanism will cause a definitive rejection on SPF evaluation. This is useful for strict email protection policies to block spoofed or phishing emails.
  • “~” (Soft fail): Soft fail indicates that the mail source is not authorized but should be accepted with caution. Mail servers often deliver these emails to the Junk Email folder or quarantine, allowing administrators to monitor suspicious activity without outright rejection.
  • “?” (Neutral SPF): This qualifier signals that no explicit policy is asserted. Mail servers treat these mails as neutral regarding SPF, neither accepting nor rejecting them based on SPF alone.

Understanding and correctly applying SPF qualifiers in your SPF settings enables better mail source control, mitigating phishing attacks and business email compromise effectively.

How to Create and Publish an SPF Record in DNS

Creating an SPF TXT record is a critical step in establishing email authentication for your custom domain or subdomain. The process begins with designing an SPF record that accurately lists all valid mail server IPs and authorized mail sources allowed to send mail on behalf of your domain.

  • Identify all valid mail sources: This includes on-premises email servers such as Exchange Server hybrids, bulk email services, cloud email platforms like Microsoft 365 (including Microsoft 365 Government Community Cloud and Microsoft 365 operated by 21Vianet), and any third-party SMTP transmission systems.
  • Formulate the SPF record syntax: Construct the SPF TXT record with a version declaration (`v=spf1`), followed by include mechanisms referencing official spf.protection.outlook.com or other service-specific DNS records, and IP4 or IP6 addresses formatted using CIDR notation where applicable. 
  • Publish the SPF record: Log into your DNS hosting service or domain registrar’s management portal, locate the DNS record management section, and create a new TXT DNS record for the intended domain or mail domain subdomain. Paste the SPF TXT record text into the appropriate field and configure the TTL setting as recommended (commonly 1 hour or 3600 seconds).
  • Verify domain ownership: Some email service providers, such as Microsoft 365 or third-party bulk email services, may require domain ownership verification through the addition of specific DNS records prior to completing SPF record creation..
Email phishing

Publishing an accurate SPF record ensures that during SMTP transmission, receiving mail servers can perform email source validation efficiently, reducing DNS lookup errors and avoiding potential NDR bounce messages resulting from misconfigured SPF settings.

Best Practices for Configuring SPF Records

Effectively configuring SPF settings involves adherence to best practices that optimize email delivery and improve mail source authorization while maintaining compliance with domain name system limitations:

  • Limit DNS lookups: SPF evaluation during SMTP transmission caps DNS queries at ten to prevent DNS lookup errors or timeouts. Use the include mechanism sparingly and consider consolidating IP ranges with CIDR notation when possible.
  • Avoid SPF record nesting: Excessive SPF record nesting via multiple include statements can lead to SPF record limit breaches. Flatten your SPF record if needed to reduce complexity.
  • Specify enforcement rules carefully: Use hard fail (`-all`) for strict rejection of unauthorized mail sources once confident in your SPF settings. For periods of testing or transition, soft fail (`~all`) is advisable to monitor potential unauthorized mail sources without impacting email delivery dramatically.
  • Regularly update SPF records: Keep authorized mail sources current, reflecting changes such as migration to Microsoft 365 Government Community Cloud High or adjustments in Exchange Server hybrid configurations.
  • Use explicit IP4 and IP6 addresses: Clearly list mail server IPs, including ranges, to enhance mail source identification while avoiding generic wildcards or default SPF records that can weaken security posture.
  • Coordinate SPF with DMARC and DKIM: Ensure your SPF record aligns with DMARC policies and is supported by DKIM email signatures to form a robust email protection strategy.

Adhering to these practices helps maintain a strong email domain reputation, enhances mail flow, and minimizes delivery issues stemming from SPF failures or DNS hosting service misconfigurations.

Common Mistakes to Avoid When Setting Up SPF

Missteps in SPF record creation and management can lead to SPF failure, impacting both reputation and legitimate email delivery. Key pitfalls include:

  • Exceeding the DNS query limit: Including too many `include` statements or nested SPF records can cause DNS timeout errors or permanent errors, resulting in SPF record validation failures.
  • Using incorrect TXT record syntax: Errors in formatting the SPF TXT record, such as missing the version tag `v=spf1`, incorrect IP address format, or misplaced qualifiers, invalidate the SPF record.
  • Neglecting subdomains: Failure to publish SPF records for subdomains or parked domains may expose them to spoofing or permit unauthorized mail sources.
  • Not updating SPF after infrastructure changes: Delays in reflecting new mail server IPs or removing legacy bulk email service IPs can cause delivery disruptions or increase spam filter routing.
  • Over-reliance on neutral SPF: Using the neutral qualifier too liberally weakens email spoof protection and reduces the effectiveness of email authentication protocols.
  • Ignoring Microsoft Online Email Routing Address specifics: Microsoft 365 tenants utilizing domains like contoso.onmicrosoft.com must incorporate specific SPF include mechanisms such as `include:spf.protection.outlook.com` or the regional equivalents like `spf.protection.office365.us` for US Government clouds.

Avoiding these common errors strengthens email source enumeration and enables smoother SPF record management.

Troubleshooting SPF-Related Email Delivery Issues

Proper configuration of the SPF record is crucial for effective email source validation and overall email authentication. When SPF TXT record settings are incorrect or incomplete, legitimate emails can be rejected, causing delivery failures and increasing the incidence of Non-Delivery Reports (NDRs). Common issues often stem from exceeding the DNS query limit established by RFC 7208, syntax errors in the SPF TXT record, or outdated mail source IPs not reflected in the DNS record.

To diagnose SPF-related email delivery problems, the first step involves verifying the SPF record for syntax compliance and accuracy. Utilize SPF record parsers which examine TXT record syntax and SPF evaluation against the domain name system. Pay attention to enforcement rules; a hard fail (`-all`) will reject emails from unauthorized sources outright, while a soft fail (`~all`) marks them suspicious but still delivers, often routing them to the Junk Email folder or spam filter. Misinterpretation of these enforcement rules often causes unexpected email rejections.

Spam

DNS lookup errors and DNS timeout events during SPF evaluation may also disrupt SPF validation. Such issues often occur due to nested include mechanisms or DNS wildcard records that increase the number of DNS lookups beyond the SPF record limit. Custom domains with complex SPF settings for third-party bulk email service providers or hybrid Exchange Server environments must optimize SPF record management, possibly by consolidating include statements or utilizing IP4 and IP6 address ranges with CIDR notation.

For Microsoft 365 environments, including the Microsoft Online Email Routing Address `spf.protection.outlook.com` in the SPF record is essential for authorizing Microsoft mail servers to send email on your behalf. Misconfigured SPF settings in domains such as `contoso.com` or their subdomain `contoso.onmicrosoft.com` frequently cause email quarantines or bounce messages. Using PowerShell cmdlets can streamline SPF record creation and updates within Exchange Server hybrid deployments, ensuring smooth SMTP transmission and email source authorization.

The Impact of SPF on Email Bounce Rates and Spam Filtering

An accurately configured SPF record significantly reduces email bounce rates, as mail servers rely on SPF TXT record validation to determine whether incoming SMTP transmissions originate from authorized mail sources. When the domain name system confirms a valid mail source IP matches the domain’s SPF record, email delivery is more reliable and less likely to be diverted to junk folders or blocked altogether by spam filters.

Incorrect SPF settings introduce SPF failures that increase the risk of emails being flagged as spoofing or phishing attacks. Since SPF is integral to email spoof protection within an email protection strategy, organizations deploying Microsoft Defender for Office 365 or similar platforms observe fewer cases of business email compromise when SPF and complementary email authentication protocols like DKIM and DMARC are properly implemented.

Additionally, authoritative SPF records help maintain a positive email domain reputation, which is crucial when interacting with large bulk email services or government clouds such as the Microsoft 365 Government Community Cloud. Domains with absent or neutral SPF settings (`?all` or `~all`) are more vulnerable to spoofing and may trigger spam filters or NDR bounce messages, thus increasing email bounce rates and degrading mail flow efficiency.

For parked domains or newly registered custom domains through a domain registrar, initial SPF record creation must account for all valid mail sources, including on-premises email servers and third-party providers. Failure to correctly authorize mail server IPs results in email source discovery complications, which negatively impact the reliability of SPF validation and subsequent email inbox placement.

When and How to Update Your SPF Record

SPF record updates are necessary whenever there is a change to the list of authorized mail sources sending email on behalf of your domain. This could include onboarding a new bulk email service, upgrading to a hybrid Exchange Server environment, or migrating to Microsoft 365 operated by 21Vianet or specific regional clouds. Additionally, periodic review of SPF settings helps mitigate DNS lookup errors and ensures compliance with the DNS query limit.

To update an SPF TXT record, first confirm domain ownership verification via your domain registrar or DNS hosting service. Then, retrieve the existing SPF record and assess whether it includes all legitimate IP4 and IP6 addresses, properly formatted with CIDR notation if applicable. Adjust include mechanisms and the enforcement rule as necessary. For example, transitioning from a soft fail to a hard fail directive improves email spoof protection but requires cautious implementation to prevent unintended mail delivery disruption.

Email deliverability

Update the TTL setting of the DNS record to balance between propagation speed and server load. Utilize PowerShell cmdlets or DNS hosting service portals for precise SPF record management tailored to environments like Microsoft 365 or on-premises email servers. Post-update, validate the SPF record using online SPF record parsers and verify that SPF evaluation produces expected results without generating DNS lookup errors or permanent errors during SMTP transmission attempts.

Case Studies: Effective SPF Implementations Protecting Domains

Contoso.com: Enhancing SPF Settings for Microsoft 365 Integration

Contoso adopted Microsoft 365 for their email platform, including using the default SPF record integrating `spf.protection.outlook.com` to authorize Microsoft’s mail servers. By correctly setting the SPF TXT record with an include mechanism referencing this domain, Contoso ensured seamless email source validation and reliable SMTP transmission from Microsoft 365. When syncing with their Exchange Server hybrid environment, PowerShell cmdlets facilitated flattening SPF record nesting and reduced DNS queries. As a result, Contoso minimized NDR incidents and improved email domain reputation, successfully reducing phishing and spoofing attacks.

Adatum’s Multi-Provider Bulk Email SPF Management

Adatum manages multiple bulk email services alongside its on-premises email servers. Their SPF record includes multiple IP address ranges and various include statements for third-party providers like `servers.adatum.com`. By adopting a DNS hosting service that supports DNS wildcard records and implementing careful SPF record management strategies—such as segmenting mail domain subdomain SPF entries—they reduce DNS lookup overhead and DNS timeout risks. These steps prevent SPF failure during SPF evaluation, sharply lowering bounce rates and keeping legitimate marketing emails from being misrouted to junk or quarantine folders.

Email fraud

Microsoft 365 Government Community Cloud Deployment

Organizations using Microsoft 365 Government Community Cloud and its compliant variants (High, Department of Defense) implement strict SPF settings including geographic-specific include mechanisms such as `spf.protection.office365.us`. This granular control of authorized mail sources ensures high-level email spoof protection and compliance with mandates, simultaneously safeguarding email delivery and minimizing phishing attack vectors prevalent in sensitive government domains. The integrated use of DMARC and DKIM alongside SPF record validation generates a multi-layered email protection strategy that reliably maintains email inbox integrity.

Similar Posts

Handling common SPF errors the right way

Handling common SPF errors the right way

ByBrad Slavin Reading Time: 5 minutes

SPF is a sensitive email authentication protocol; it requires all details to be correct to produce accurate authentication results. You can’t miss adding new IP addresses and mail servers, or you can’t afford a tiny typo; otherwise, even genuine emails can get marked as spam or rejected.  It’s important to regularly run your SPF record…

How threat actors managed to send millions of phishing emails from trusted domains- explaining echo-spoofing

How threat actors managed to send millions of phishing emails from trusted domains- explaining echo-spoofing

ByBrad Slavin Reading Time: 4 minutes

In the first half of 2024, a simple toggle in Proofpoint’s email service allowed threat actors to send millions of hard-to-detect emails impersonating blue-chip companies. They exploited a misconfiguration in Proofpoint’s secure email gateway (SEG) to send fraudulent credit card emails. These emails bypassed security filters as they were signed and verified, looking like they…

Mastering SPF Syntax Multiple Include: Tips For Managing Complex Spf Records

Mastering SPF Syntax Multiple Include: Tips For Managing Complex Spf Records

ByBrad Slavin Reading Time: 14 minutes

Sender Policy Framework (SPF) is a critical email authentication protocol designed to prevent email spoofing by specifying which mail servers are authorized to send emails on behalf of a domain. Implemented as a DNS TXT record, an SPF record holds SPF syntax directives that guide receiving mail servers—such as those operated by Microsoft, Google, and…

The ‘unsubscribe’ button is a new security risk; consider a different approach

The ‘unsubscribe’ button is a new security risk; consider a different approach

ByBrad Slavin Reading Time: 5 minutes

We are often told to simply ‘unsubscribe’ from newsletters, shopping emails, and similar lists, as it shrinks our digital footprint, prevents soft spam, and declutters our inbox. However, it turns out that malicious actors have found a way to exploit the seemingly safe ‘unsubscribe’ button as well. You click on it once, and your device…

How can influencers use SPF to protect their personal brand emails?

How can influencers use SPF to protect their personal brand emails?

ByBrad Slavin Reading Time: 6 minutes

There is a common misconception that email security is only meant for large organizations or, at most, mid-sized startups. But the truth is, cyberattackers spare no one, especially not public personas like celebrities and influencers.  Now that influencers have garnered the recognition and status of a celebrity, they have become the next big target for…

SPF Record Explained: Understanding Email Authentication for Your Domain

SPF Record Explained: Understanding Email Authentication for Your Domain

ByBrad Slavin Reading Time: 10 minutes

What is an SPF Record? At its essence, an SPF record, or Sender Policy Framework record, acts as a gatekeeper for your email. It is a specific type of TXT record published in your domain’s DNS settings, designed to help prevent unauthorized users from sending emails that appear to come from your domain. By specifying…