Setup SPF Record

An SPF record, or Sender Policy Framework record, is a critical DNS record designed to prevent email spoofing and improve email authentication. Technically, an SPF record is a type of DNS TXT record published on the Domain Name System (DNS) for a specific domain. This DNS record specifies which mail sources—including IP addresses in IPv4 (ip4) and IPv6 (ip6) format—are authorized to send emails on behalf of that domain.

The SPF TXT record works by listing valid email sources that are allowed to use the MAIL FROM address (also known as the envelope sender) of the domain. These authorized IP addresses typically include those of an organization’s on-premises email server, bulk email services like Adatum bulk mailing service, or third-party platforms such as Microsoft 365 or Exchange Server hybrid deployments.

Publishing an accurate SPF record through your domain registrar or DNS hosting service for your custom domain is essential. For example, a company using a domain like contoso.com can publish an SPF TXT record that specifies IP ranges or include mechanisms for trusted providers—such as spf.protection.outlook.com for Microsoft 365 domains—to simplify maintenance.

How SPF Records Work to Authenticate Emails

The Sender Policy Framework functions as an email authentication protocol by enabling receiving mail servers to verify that incoming messages come from IP addresses authorized by the domain owner. This verification happens through a DNS lookup process where the receiving mail server queries the sending domain’s SPF DNS record.

During this DNS query, the server checks the SPF syntax and evaluates the included commands and mechanisms, such as ip4, ip6, and include. The include mechanism allows referencing other SPF records—commonly used when a domain delegates email sending to services like Microsoft Online Email Routing Address (MOERA) or a third-party bulk mail provider.

The SPF evaluation process follows an enforcement rule specified in the SPF record, dictating how to treat emails that fail validation. Common enforcement tags include:

  • -all (hard fail): Mail from non-authorized IPs should be rejected outright.
  • ~all (soft fail): Mail is treated with suspicion but may still be accepted or marked as spam.
  • ?all (neutral): No definitive assertion about mail legitimacy.
legitimate Email

These rules allow domain owners to control how strict the email authentication enforcement is. However, administrators must watch out for the DNS lookups limit of 10 queries as specified in RFC 7208, which standardizes SPF to prevent excessive DNS queries that could impact mail delivery performance.

The Role of SPF in Preventing Email Spoofing

Email spoofing is a technique used by attackers to forge the MAIL FROM address of an email to make it appear as if it originated from a trusted domain. This impersonation can lead to phishing attacks, business email compromise, ransomware distribution, and degradation of email source reputation.

SPF serves as a frontline defense by enabling receiving mail servers to authenticate emails against the domain’s published SPF record. When a message fails SPF validation—often flagged as SPF validation failure—the receiving system can take appropriate actions such as rejecting the email, directing it to the spam or junk email folder, or generating a bounce message or non-delivery report (NDR).

In organizations utilizing Microsoft 365 domains and Microsoft Defender for Office 365, SPF acts alongside DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) protocols to provide comprehensive email protection. For instance, DMARC policies use SPF results to determine how to handle emails that fail authentication checks and can generate reports via DMARC reporting services to inform domain owners about malicious activity targeting their domain.

Impact of SPF Records on Domain Reputation

A well-configured SPF record directly influences the reputation of your domain within the email ecosystem. Email source reputation is crucial because major email providers and spam filters consider authentication results when deciding mail delivery policies. Domains without properly set SPF records are more likely to have their emails flagged as spam or rejected, which can severely impact email deliverability.

For example, Microsoft 365 employs SPF to validate emails sent from its Microsoft Online Email Routing Address pool. Failure to publish an accurate SPF TXT record can result in SPF validation failures that diminish trust in contoso.com or its subdomains like marketing.contoso.com. Over time, this leads to emails ending up in the junk email folder or being outright blocked, harming business communications.

Additionally, parked domains or wildcard SPF records can complicate reputation management. If SPF records allow overly permissive rules such as include:* or lack enforcement rules, attackers may exploit them for email spoofing, further degrading domain reputation and triggering more bounce messages.

Email spoofing

To maintain domain reputation, administrators must ensure SPF records are precise, reflecting all valid IP addresses and mail sources. Using tools such as PowerShell can help manage and test SPF configurations, particularly for Exchange Server hybrid deployments and Microsoft 365 enrollment scenarios.

Common Email Threats Mitigated by SPF

SPF records help mitigate numerous prevalent email threats, most notably email spoofing, which serves as the root cause for many cyberattacks. By validating whether an email’s source IP matches authorized sources in the SPF DNS record, organizations can reduce risks associated with:

  • Phishing Attacks: These attacks often use spoofed domains to trick recipients into disclosing sensitive information. SPF helps prevent such spoofed emails from reaching users.
  • Business Email Compromise (BEC): BEC exploits legitimate business email domains to impersonate executives or partners. SPF enforcement reduces chances of unauthorized mail being accepted.
  • Ransomware Distribution: Phishing emails carrying ransomware payloads usually come from spoofed domains. SPF records help identify and block these fraudulent sources.
  • Spam and Junk Mail: Proper SPF records combined with enforcement rules reduce misclassification and help decrease spam originating from your domain’s identity theft.

    By implementing a robust SPF record—ideally alongside DKIM and DMARC policies—domain owners create a multi-layered email authentication and protection strategy. This ensures that only authorized IP addresses, whether from on-premises email servers or cloud email platforms like Microsoft 365’s spf.protection.office365.us or regional spf.protection.partner.outlook.cn endpoints, can send emails on their behalf, safeguarding both users and the domain’s standing on the internet.


In summary, setting up an SPF record is essential for domain owners who want to protect their domain reputation, prevent email spoofing, and secure their email ecosystem against increasingly sophisticated threats. By carefully configuring SPF TXT records with correct IP addresses, includes, and enforcement rules, organizations maintain email authenticity and increase trust among email recipients globally.

Step-by-Step Guide to Setting Up an SPF Record

Implementing a Sender Policy Framework (SPF) record is essential for strengthening your domain’s email security. It helps prevent spoofing and phishing attacks by verifying which mail servers are authorized to send emails on behalf of your domain. Below is a comprehensive guide to creating and deploying a robust SPF TXT record for your domain.

1. Identify All Valid Email Sources

Begin by compiling a comprehensive list of all mail sources authorized to send email on behalf of your domain. This includes:

  • On-premises email servers with their public IP addresses (both IPv4 and IPv6, utilizing the ip4 and ip6 mechanisms).
  • Cloud-based services such as Microsoft 365 (including the Microsoft 365 domain and associated Microsoft Online Email Routing Address, or MOERA).
    Bulk email services like Adatum bulk mailing service.
  • Third-party marketing platforms sending from subdomains (e.g., marketing.contoso.com).
  • Any Exchange Server hybrid deployments or external partners.
Email threat

Accurate identification ensures the SPF record authorizes only legitimate sources, reducing false positives and enhancing email validation accuracy.

2. Format the SPF TXT Record Syntax Correctly

Following RFC 7208 guidelines, construct your SPF record with appropriate mechanisms and qualifiers. Typical SPF syntax includes:

  • v=spf1 to specify the SPF version.
  • ip4: and ip6: mechanisms to denote authorized IP addresses or ranges, utilizing CIDR notation when necessary.
  • include: to add nested SPF records, such as those for Microsoft 365 (include:spf.protection.outlook.com) or other bulk email services.
  • all with an enforcement rule qualifier, such as -all for hard fail, ~all for soft fail, or ?all for neutral.

Example SPF TXT value for contoso.com:

v=spf1 ip4:198.51.100.0/24 ip6:2001:db8::/32 include:spf.protection.outlook.com -all

3. Publish the SPF Record in DNS

Access your domain registrar or DNS hosting service interface and add a new DNS TXT record. Ensure:

  • The Name or Host field reflects your domain or subdomain (e.g., @ for root domain or marketing for marketing.contoso.com).
  • The Type is set to TXT.
  • The TXT Value contains your fully formed SPF record.

Set an appropriate TTL (time to live), typically 3600 seconds, balancing DNS query responsiveness with performance.

4. Verify and Publish

Before finalizing, validate the SPF record for syntax correctness and policy effectiveness using SPF validation tools. After publishing, monitor DNS propagation and run DNS lookups to confirm the SPF TXT record is appropriately distributed.

Best Practices for Configuring SPF Records

Setting up an SPF record requires adherence to established best practices to maximize email protection and operational reliability.

Define Precise Valid Email Sources

Avoid overly broad IP address ranges to minimize accidental authorization of unauthorized mail sources. Use CIDR notation effectively to narrow IP address blocks.

Avoid Excessive DNS Lookups

SPF evaluation is limited to 10 DNS lookups as per RFC 7208, including lookups from nested include: mechanisms. Exceeding this limit causes SPF validation failures, negatively impacting email deliverability. Optimize your SPF record by minimizing nested includes and consolidating IP ranges.

Email deliversbility

Employ Appropriate Enforcement Rules

Choose the correct enforcement qualifier (-all for hard fail, ~all for soft fail, or ?all for neutral) based on your domain’s email infrastructure maturity:

  • Use -all to reject unauthorized email sources definitively once confident in your SPF record’s completeness.
  • Use ~all during initial deployment to monitor without impacting legitimate emails.
  • Use ?all to observe SPF behavior with no enforcement.

Regularly Update SPF Records

As your domain’s infrastructure evolves — for example, adding new services or retiring old servers — promptly update the DNS SPF TXT record to maintain accuracy in valid email sources.

Leverage Subdomain Policies and Wildcard SPF Records with Caution

Apply SPF selectively to subdomains when appropriate, e.g., marketing.contoso.com, to segregate policies. Use wildcard SPF records sparingly since they may lead to unexpected outcomes in email validation.

Troubleshooting Common SPF Issues

Despite best efforts, organizations frequently encounter issues related to SPF record implementation and validation failures. Understanding these common problems aids rapid diagnosis and resolution.

SPF Validation Failure Due to DNS Lookup Limit

When SPF evaluation exceeds the 10 DNS query limit, receivers return SPF soft fail or hard fail results, sending emails to spam or rejecting them outright. Simplify your SPF record by reducing nested include: statements and consolidating IP ranges to avoid this problem.

Incorrect SPF Syntax or Malformed Records

Common errors include missing v=spf1 declaration, misplaced spaces, or invalid mechanisms. These syntax errors cause immediate SPF validation failure. Use tools that check SPF syntax before publishing.

Mismatched IP Address or Missing Valid Email Sources

Emails sent from IPs not included in the SPF record will fail SPF application checks, resulting in spam folder placement or NDR (Non-delivery report). Thoroughly verify all legitimate IP4 and IP6 addresses your domain uses for sending email.

Email Authentication

Conflicts in Hybrid and Multi-domain Environments

Organizations with Exchange Server hybrid deployments and Microsoft 365 enrollment need to incorporate the correct Microsoft SPF includes, such as include:spf.protection.outlook.com (or respective regional endpoints like spf.protection.office365.us or spf.protection.partner.outlook.cn for 21Vianet environments). Omitting these causes SPF failures.

Handling Parked Domains and Third-party Mail Sources

Parked or inactive domains should have appropriately restrictive SPF policies to block spoofing. When using bulk services like Adatum, include their SPF mechanism to authorize sending IPs properly.

Integrating SPF with Other Email Authentication Protocols (DKIM, DMARC)

While SPF provides essential validation of MAIL FROM address by verifying IP authorization, integrating it with DKIM and DMARC protocols significantly enhances email protection.

DKIM (DomainKeys Identified Mail)

DKIM uses cryptographic signatures added to emails to verify message integrity and the domain of the sender. Unlike SPF, which validates the envelope sender IP address, DKIM authenticates the header and content via DNS-published public keys.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC builds on SPF and DKIM by providing domain owners with the capability to specify an enforcement rule on messages failing SPF or DKIM (such as quarantine or reject). It also supports DMARC reporting services, enabling monitoring of authentication failures and helping to combat phishing and business email compromise attacks.

Complementing SPF with DKIM and DMARC

  • Align SPF with the Envelope Sender (MAIL FROM address) for consistent validation.
  • Ensure DKIM signs emails with the same domain seen by recipients.
  • Publish a DMARC DNS record with policies that specify how recipients handle SPF/DKIM failures.
  • Use DMARC reports to analyze and troubleshoot email source reputation and identify potential ransomware or phishing attacks.

Together, these protocols offer layered email protection, reducing spam reaching inboxes or junk email folders, fortifying defenses against sophisticated threats.

Monitoring and Maintaining Your SPF Record for Long-Term Protection

Publishing an SPF record is not a set-it-and-forget-it task. Continuous monitoring and maintenance are crucial for sustained email validation success.

Regular DNS Record Audits

Monitor your DNS SPF TXT record and regularly audit all valid email sources, updating IP addresses or includes to reflect changes such as hosting migrations or service provider switches.

Analyze Bounce Messages and NDRs

Bounce messages or Non-delivery reports often contain SPF validation failure reasons. Use these insights to identify and remedy SPF issues quickly.

Monitor DNS Queries and Lookups

Track the number of DNS lookups your SPF includes generate. Tools or scripts, including PowerShell for Microsoft 365 environments, can help detect approaching DNS lookups limits, enabling timely optimization to avoid SPF failures.

Utilize DMARC Reporting Services

DMARC aggregate and forensic reports provide detailed information about SPF and DKIM alignment and failures, assisting in continuous improvement of email authentication posture.

Update TTL Values Strategically

Set TTL values in your DNS records to balance timely propagation of SPF updates with efficiency in DNS resolution. A TTL of 1 hour (3600 seconds) is common but may be adjusted during major changes.

Email validation

Document SPF Policies and Changes

Maintain documentation of SPF configuration and modifications, including the reasoning behind enforcement rules and includes, to facilitate troubleshooting and knowledge transfer within your administrative team.

FAQs

What is the difference between a hard fail and a soft fail in SPF?

A hard fail (-all) indicates that mail from unauthorized IP addresses should be rejected outright, enhancing email protection. A soft fail (~all) means unauthorized mail should be accepted but marked or scrutinized further, useful during SPF policy rollout.

How does SPF protect against email spoofing?

SPF authenticates the MAIL FROM address by checking if the sending IP address is authorized in the domain’s DNS SPF record. This prevents unauthorized sources from sending mail that appears to come from your domain, reducing spoofing and phishing attacks.

Can SPF records exceed 10 DNS lookups if includes are nested?

No. Per RFC 7208, the SPF mechanism limits DNS lookups to 10, including nested includes. Exceeding this leads to SPF validation failure, so it’s vital to optimize SPF records by reducing nested includes and consolidating IP ranges.

How do I configure SPF for Microsoft 365 domains?

Include Microsoft 365’s SPF mechanism (include:spf.protection.outlook.com) in your SPF TXT record. For environments hosted in different regions (e.g., 21Vianet in China), use the proper endpoint such as include:spf.protection.partner.outlook.cn.

What role does CIDR play in SPF records?

CIDR notation specifies IP address ranges efficiently (ip4:198.51.100.0/24). It is essential to correctly authorize groups of IP addresses in your SPF record, particularly for on-premises email servers or cloud services.

How often should I update my SPF record?

Update your SPF record whenever you add or remove mail sources, change service providers, or modify your email infrastructure. Regular audits every 3–6 months help maintain accuracy.

Why do I receive NDRs related to SPF failures?

NDRs or bounce messages containing SPF failure details indicate that your email was rejected because it originated from an IP address not authorized in the recipient domain’s SPF record. Addressing SPF misconfigurations or whitelisting valid sources resolves this.

Key Takeaways

  • SPF records authenticate valid email sources using DNS TXT records with mechanisms like ip4, ip6, and include directives.
  • Adhering to DNS lookup limits and correct SPF syntax is crucial for maintaining email validation effectiveness.
  • Integrating SPF with DKIM and DMARC offers comprehensive email protection against spoofing, phishing, and ransomware threats.
  • Continuous monitoring, including reviewing bounce messages and DMARC reports, is essential for sustaining SPF integrity.

Regular updates to SPF records ensure alignment with evolving mail infrastructure, especially in hybrid and Microsoft 365 environments.

Similar Posts

SPF and multi-tenant email service providers: a collision course?

SPF and multi-tenant email service providers: a collision course?

ByBrad Slavin Reading Time: 5 minutes

During the 2024 Black Friday to Cyber Monday (BFCM) period, Mailchimp customers sent billions of emails. Notably, on Black Friday alone, over 133 million emails were dispatched in a single hour. On the other hand, SendGrid claims to send 148+ billion emails every month. And at the same time, there has been a massive 202%…

What is an executive phishing attack and how to prevent it?

What is an executive phishing attack and how to prevent it?

ByBrad Slavin Reading Time: 6 minutes

Threat actors try different tactics to intercept and steal data, which is further exploited for financial gain. One such tactic is an executive phishing attack. It’s a low-cost yet powerful way for threat actors to break into a company’s security. Cybercriminals trick junior-level executives through emails or phone calls made by impersonating top-level executives, and…

IP Lookup: Discover Your IP Address Location and Details

IP Lookup: Discover Your IP Address Location and Details

ByBrad Slavin Reading Time: 16 minutes

In today’s digital landscape, your IP address is more than just a line of numbers; it’s like a digital identity that reveals where you are and who you’re with online. Have you ever wondered how websites automatically suggest content based on your location, or what happens when you browse the internet? Understanding your IP address…

SPF Wizard Explained: Create Perfect Spf Records In Minutes

SPF Wizard Explained: Create Perfect Spf Records In Minutes

ByBrad Slavin Reading Time: 13 minutes

What is SPF and Why It Matters for Email Security The sender policy framework (SPF) is a cornerstone of modern email authentication protocols that protect organizations from the rampant threats of email spoofing and email phishing protection. SPF works by validating the IP addresses authorized to send emails on behalf of a domain, thus thwarting…

Automation + Machine Learning for Continuous Vendor Email Security Assessment 

Automation + Machine Learning for Continuous Vendor Email Security Assessment 

ByBrad Slavin Reading Time: 6 minutes

VEC (Vendor Email Compromise) attacks are increasing at an alarming rate. In fact, the manufacturing sector alone climbed 24% year-over-year between September 2023 and September 2024. In today’s situation, emails are being exploited as both a weapon and a gateway. Companies usually trust their vendors as they have been in business for years, and often…

Setting SPF and DKIM for Salesforce

Setting SPF and DKIM for Salesforce

ByBrad Slavin Reading Time: 3 minutes

When using an external email sender, like Salesforce, to send emails from addresses within your domain, it’s crucial to set up SPF and DKIM. Without these configurations, recipients’ inboxes may flag the emails as potential spoofing attempts. The impact varies: some corporate email servers automatically delete such emails, while others redirect them to the spam…