---
title: "6 Best practices for maintaining an SPF record | AutoSPF"
description: "Threat actors seek ways to impersonate credible companies and their representatives to send phishing emails on their behalf."
image: "https://autospf.com/og/blog/6-best-practices-for-maintaining-an-spf-record.png"
canonical: "https://autospf.com/blog/6-best-practices-for-maintaining-an-spf-record/"
---

Quick Answer

Threat actors seek ways to impersonate credible companies and their representatives to send phishing emails on their behalf. This way, the targeted recipients are more likely to open and interact with potentially fraudulent emails. However, if companies implement the SPF protocol for their domains and adhere to best practices, they can assist receiving servers in distinguishing between safe and malicious email senders.

6 Best practices for maintaining an SPF record

Your browser does not support the audio element.

[ Download episode](/audio/6-best-practices-for-maintaining-an-spf-record.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2F6-best-practices-for-maintaining-an-spf-record%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=6%20Best%20practices%20for%20maintaining%20an%20SPF%20record&url=https%3A%2F%2Fautospf.com%2Fblog%2F6-best-practices-for-maintaining-an-spf-record%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2F6-best-practices-for-maintaining-an-spf-record%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2F6-best-practices-for-maintaining-an-spf-record%2F&title=6%20Best%20practices%20for%20maintaining%20an%20SPF%20record "Share on Reddit") [ ](mailto:?subject=6%20Best%20practices%20for%20maintaining%20an%20SPF%20record&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2F6-best-practices-for-maintaining-an-spf-record%2F "Share via Email") 

![SPF record](https://media.mailhop.org/autospf/images/2025/06/spf-permerror-3088.jpg) 

[Threat actors](https://www.cybersecuritydive.com/news/microsoft-crowdstrike-other-cyber-firms-collaborate-on-threat-actor-taxon/749614/) seek ways to impersonate credible companies and their representatives to send phishing emails on their behalf. This way, the targeted recipients are more likely to open and interact with potentially fraudulent emails. However, if companies implement the [SPF](/blog/what-is-spf-email-a-guide-to-sender-validation-technology/) protocol for their domains and adhere to best practices, they can assist receiving servers in distinguishing between safe and [malicious email](https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-online-mistakenly-tags-emails-as-malware/) senders. 

_Per [RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208), SPF evaluation is capped at 10 DNS mechanism lookups and 2 void lookups per check - exceeding either limit produces a `PermError` that fails authentication for every message from the domain._

To make SPF work smoothly, the domain owner creates an SPF record that lists all the IP addresses and mail servers allowed to send emails for their domain. It also includes rules that tell receiving servers what to do if someone tries to send [fake emails](https://www.usatoday.com/story/money/columnist/2023/09/21/ai-cyber-scams-security/70920106007/) using their domain.

As of 2024, [more than half of the top ten million domains have published SPF records](https://www.spamresource.com/2024/10/spf-adoption-rates-over-time.html#:~:text=Oct%202023%3A%204921770%20%2849.22%25,%2853.35%25%20of%2010%20mil%29). However, not all of them are fully capable of warding off [email impersonation](https://www.proofpoint.com/us/threat-reference/impersonation-attack) and phishing attacks attempted in the name of their businesses. _This is because most of them have errors, undefined content, or ineffective rules_. SPF is not a one-time job - you practically have to keep checking your SPF record to ensure it’s appropriately configured. You also need to continually add and remove IP addresses and mail servers whenever there is an association or disassociation with an employee or vendor.

![email impersonation
](https://media.mailhop.org/autospf/images/2025/06/spf-record-syntax-5079.jpg)

Yes, keeping up with the list of dos and don’ts for an [SPF record](/spf-record-checker/create-spf-record/) can be a tricky task, but that’s exactly where this guide steps in to help you untangle things.

Here are 6 best practices that a domain owner, all the employees, and linked vendors should follow to ensure the [email authentication](/blog/role-relevance-of-dns-spf-records-for-email-authentication/) protocols’ effectiveness. 

## 1\. List only authorized IP addresses and servers

_SPF’s job is to tell the world which IP addresses and mail servers are officially allowed to send emails on your behalf_. So, if you have listed IP addresses and mail servers that shouldn’t be there, or you miss the ones that should be in your SPF record, your domain gets exposed to the following risks-

### Spoofing and BEC attacks

Attackers can forge emails using your domain if your SPF record is too loose or outdated. This can lead to spoofing or [BEC attacks](https://thehackernews.com/2025/02/us-and-dutch-authorities-dismantle-39.html), where a threat actor can trick your employees or customers into wire transferring money or sensitive information.

![email compromise](https://media.mailhop.org/autospf/images/2025/06/spf-lookup-4509.jpg) 

### Legit emails get blocked

If you don’t include the IP address or mail server of a new joinee, emails sent by them will most probably get blocked or land in the [spam folder](https://cybernews.com/news/microsofts-breach-notification-emails-end-up-in-spam-folder/). This can ultimately result in delays, missed opportunities, and frustration for you and the receiver.

Here’s how you can follow this best practice-

- _Audit your senders regularly._
- _Use IP ranges or ‘include:’ statement wisely._
- _Remove the sending sources no longer in use_.

## 2\. Use -all only when you are confident

By setting the Hard Fail mechanism (-all), you tell the receiving mail server to reject the emails sent from your domain using the unlisted IP addresses or servers. While this may sound like the best configuration to avert [phishing attacks](https://www.infosecurity-magazine.com/news/mobile-phishing-attacks-surge-16/) attempted in your name, it’s not always advised to use this. 

![phishing attacks
](https://media.mailhop.org/autospf/images/2025/06/spf-record-tester-6078.jpg)

There are two reasons why you should think twice before setting your SPF record to -all.

The first reason is that if you forget to add a new IP address or [mail server](https://www.activecampaign.com/glossary/mail-server) to your SPF record, genuine emails sent from them will be rejected, risking communication and operational issues.

Second, instances of false negatives are common, especially during the initial phase of SPF deployment. So, at times, even the genuine emails sent from authorized sources can get rejected.

_So, if your business’s tolerance for rejected emails is low, don’t be hasty to set the Hard Fail mechanism. Wait until you are confident enough_.

![SPF mechanisms](https://media.mailhop.org/autospf/images/2025/06/spf-validator-9044.jpg) 

## 3\. Avoid using deprecated and risky mechanisms

Some [SPF mechanisms](/spf-validator/spf-syntax/), such as ‘ptr,’ are outdated and no longer reliable. The ‘ptr’ mechanism tries to do a reverse DNS lookup to check if the sender’s IP matches the domain name, but it’s slow, easy to fake, and doesn’t always give consistent results. That’s why most email providers no longer recommend using it.

Likewise, using broad mechanisms like, ‘a’ or ‘mx,’ can be risky if not handled carefully. The ‘a’ mechanism allows any IP linked to your domain’s A record to send emails - even if those servers weren’t meant to send emails in the first place. _Similarly, ‘mx’ approves your mail servers, but some of them may only receive or forward emails, not send them directly_.

Using such loose rules can inadvertently allow unauthorized senders to access your email and compromise your security. It’s better to stick with more specific options like ‘ip4,’ ‘ip6,’ or ‘include:’ to list only the exact IPs or trusted [third-party services](https://getterms.io/blog/what-is-a-third-party-service) that should be sending your emails.

![Monitor DMARC reports](https://media.mailhop.org/autospf/images/2025/06/spf-flattening-5566.jpg) 

## 4\. Monitor DMARC reports

DMARC relies on SPF and [DKIM](/10-reasons-for-regular-spf-record-checks-in-cybersecurity/dkim-record-check/) results. By monitoring DMARC reports, you can know if something is wrong with your SPF record. You can spot unrecognized and unauthorized IPs and tighten the SPF record to block emails sent from these.

Also, sometimes your own tools (like a [CRM](https://www.techtarget.com/searchcustomerexperience/definition/CRM-customer-relationship-management) or newsletter platform) might not be added to your SPF record. [DMARC reports](https://dmarcreport.com/understanding-dmarc-reports/) will show their emails failing SPF, so you’ll know which sender to add to the record.

## 5\. Document and review changes regularly

Whenever you make any changes to your SPF record, document the alterations. _This way, there will be a log of who made the update, when, and for what purpose_. This avoids confusion later if something breaks. 

Additionally, if you continually add ‘include:’ statements without removing old ones, your SPF record may exceed the 10 [DNS lookup](https://www.digicert.com/faq/dns/how-does-dns-lookup-work) limit, resulting in SPF failure. A documented change log makes it easier to maintain an efficient record of alterations.

![email authentication
](https://media.mailhop.org/autospf/images/2025/06/spf-record-example-7064.jpg)

## 6\. Stay within the lookup limit

SPF allows up to 10 DNS lookups for mechanisms like ‘include:’, ‘a,’ ‘mx,’ and others that trigger a [DNS query](https://www.cloudns.net/wiki/article/254/). This is done to prevent abuse, like attackers creating endless DNS loops that slow down or crash mail servers (a type of [DoS attack](https://www.insurancebusinessmag.com/us/news/risk-management/how-ddos-attacks-are-shaping-esports-security-and-risk-management-516320.aspx)).

If your SPF record has already hit this limit and the protocol has gone inefficient, use our [automatic SPF flattening tool](/). It works by converting ‘include’ statements into a static list of IPs that eliminates the need for frequent lookups.

If you need assistance with our tool, feel free to [reach out to us](/contact-us/) for guidance. We can also help with other email authentication issues.

## Topics

[ DKIM ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ SPF ](/tags/spf/)[ SPF Flattening ](/tags/spf-flattening/)[ SPF Flattening tool ](/tags/spf-flattening-tool/)[ SPF record ](/tags/spf-record/) 

![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Ready to get started?

Try AutoSPF free — no credit card required.

[ Book a Demo ](/book-a-demo/) 

## Related Articles

[  Intermediate 3m  3 points to consider before setting your SPF record to -all (HardFail)  May 22, 2025 ](/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/)[  Intermediate 6m  Your SPF record is broken- What does it mean and how do you fix it?  Jan 16, 2025 ](/blog/broken-spf-record-meaning-and-how-to-fix-it/)[  Intermediate 6m  Broken SPF record- What does it mean and how to fix it!  Mar 13, 2025 ](/blog/broken-spf-record-what-does-it-mean-and-how-to-fix-it/)[  Intermediate 6m  Decoding SPF mechanisms and their role in maximizing email deliverability  Nov 6, 2024 ](/blog/decoding-spf-mechanisms-and-their-role-in-maximizing-email-deliverability/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"6 Best practices for maintaining an SPF record","description":"Threat actors seek ways to impersonate credible companies and their representatives to send phishing emails on their behalf.","url":"https://autospf.com/blog/6-best-practices-for-maintaining-an-spf-record/","datePublished":"2025-06-05T17:32:41.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2025-06-05T17:32:41.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/6-best-practices-for-maintaining-an-spf-record/"},"articleSection":"intermediate","keywords":"DKIM, DMARC, SPF, SPF Flattening, SPF Flattening tool, SPF record","wordCount":1190,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2025/06/spf-permerror-3088.jpg","caption":"SPF record","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://autospf.com/intermediate/"},{"@type":"ListItem","position":4,"name":"6 Best practices for maintaining an SPF record","item":"https://autospf.com/blog/6-best-practices-for-maintaining-an-spf-record/"}]}
```