It can be a bit confusing to create an SPF record if it’s your first time. This guide on SPF record explanation talks about basic and advanced SPF syntaxes that will help you generate an error-free and properly configured record for your domain.
SPF Record Basic Syntax
Here SPF record is explained in two categories; let’s start by discussing the first one, i.e., SPF basic syntax.
We’ll understand this with the help of the following SPF record example-
v=spf1 ip4=192.158.1.38 ip4=192.158.2.30 include:vendorsender.net ~all
Where;
- v= spf1 specifies that it’s an SPF record, and all SPF records begin with it; otherwise, there will be configuration errors.
- This is followed by the IP addresses permitted to send emails using the specified domain. Here ip4=192.158.1.38 and ip4=192.158.2.30 are included.
- The ‘include:vendorsender.net’ specifies which outsiders can send messages using your domain. You can add multiple domains within an SPF record.
- ~all indicates a softfail, which means that recipients’ mailboxes accept emails failing authentication checks, but mark them as spam. So, recipients will see them in spam folders and not their primary inboxes. (You can also set your record to -all, which will indicate a hardfail. In that case, recipients’ mailboxes are instructed to reject the entry of all emails sent from our domain that fail authentication checks.)
SPF Record Advance Syntax
The next part of this SPF record explanation guide talks about more complex and advance syntax. This is further divided into three categories- SPF Mechanisms, SPF Qualifiers, and SPF Modifiers.
SPF Mechanisms
SPF record mechanisms instruct receiving servers on how they should deal with emails sent from your domain.
- ALL
It’s the last mechanism, and it always matches.
- A
It generates queries for A or AAAA records in a domain with a sender’s IP address.
- ip4
A match happens if the sender is linked to the particular ipv4 address range.
- ip6
A match happens if the sender is linked to the particular ipv6 address range.
- MX
The MX mechanism includes an IP address and a priority value for each server permitted to accept emails. Its usage is discouraged as an SPF record exceeds the 10 lookup limit.
- PTR
It authorizes domains using PTR records that resolve IP addresses to their corresponding subdomains. Its use is also discouraged as it requires too many looks, causing SPF record exceeds 10 lookups limit permerror error.
- EXISTS
It conducts a DNS A record search of your email-sending domain. A match happens when a valid A record is found.
- INCLUDE
It permits third-party vendors to send emails using your domain. You see a permanent error when no SPF record is found for the listed third-party domain.
SPF Qualifiers
This optional mechanism instructs receiving mail servers how to handle messages if there’s a match with a Mechanism value. There are 4 Qualifiers:
Qualifier | Result | Action Taken by Receiving Server With a Match |
+ | Pass | Messages pass SPF authentication checks, and the server is allowed to send emails. |
– | Fail | Emails fail the SPF authentication test, and the server can’t send emails as it isn’t listed in the SPF record. So, failed emails are rejected outrightly. |
~ | SoftFail | The mailbox receives the message but isn’t shown in the primary inbox. It lands in the spam folder instead. |
? | Neutral | Emails neither pass nor fail because the DNS SPF record doesn’t explicitly state if that particular IP address is authorized. |
SPF Modifiers
In the last leg of ‘SPF record explained,’ we’ll talk about SPF Modifiers. They decide the parameters of a DNS SPF record syntax. You add them only once and at the end of a valid SPF record, and all the unrecognized Modifiers go unattended.
While learning about SPF record explanation, you should know that all SPF Modifiers consist of a name or value pair separated by the ‘=’ sign that shows additional details like exceptions to rules.