SPF records include syntaxes and many rules and limitations. If you don’t follow them, you will face SPF record failures, false positives, or false negatives. You must develop the habit of regularly running your SPF records through SPF analyzers or lookup tools to see if it has any issues arising out of not abiding by the below-shared do’s and don’ts
The do’s of an SPF record
Avoid common SPF pitfalls by adhering to these best practices:
Do define all valid mail servers
Ensure that every server you use for sending emails is included in your SPF record. List them using mechanisms like ip4, ip6, a, mx, and include. This way, emails by legitimate senders won’t fall into the recipients’ spam folders, and there will be no hampering of communication.
Do include third-party services
If you have outsourced some kind of email work (like email marketing) to external services (such as CRMs or marketing platforms), then include their sending sources in your SPF record using the ‘include’ mechanism. Skipping this part will lead to false positives.
Do use the ~all mechanism (SoftFail) when testing
When setting up or testing a new SPF record, use ~all (SoftFail) to minimize email delivery disruptions before switching to -all (HardFail). This is because SoftFail is a more flexible and forgiving mechanism as it instructs the receiving mailboxes to store the suspicious emails sent from your domain in their spam folders. Whereas, the HardFail mechanism instructs the receiving mailboxes to strictly reject such emails.
Do enforce SPF with -all after testing
Once everything is tested and verified, consider using -all (HardFail) to ensure that only authorized servers can send emails on your behalf. This is a good practice, as suspicious emails will never make their way into the recipients’ inboxes, leaving no possibility for the targeted recipients to fall into the trap of malicious actors who could send potentially fraudulent emails from your domain.
Do keep the record concise
Ensure your SPF record remains under 255 characters for each DNS TXT entry, and avoid exceeding the 10 DNS lookups limit.
Do update the record when new IPs or services are added
Update your SPF record whenever you add or change email service providers to avoid delivery issues. If not done, emails originating from those services might be flagged as unauthorized, reducing email deliverability and negatively impacting your sender’s reputation.
Common scenarios when you would have to consider adding or removing sending sources include- switching email providers, integrating with new third-party email-sending services, adding a new mail server, or changing the IP addresses of the existing one. You may also need to make changes when you expand the services that send emails on your behalf, for example, starting a new social media department.
The don’ts of an SPF record
Ensure a smooth email authentication by following these SPF practices
Don’t use multiple SPF records
There should only be one SPF record per domain. Multiple SPF records corresponding to a domain will fail the validation process. If needed, merge all the existing SPF records into one.
Don’t forget about IPv6
There are relatively fewer IPv6 servers, which is why people often forget to add them to their SPF records. As a result, they remain blocklisted, causing legitimate emails to get flagged.
Don’t use wildcard mechanisms carelessly
Avoid using broad mechanisms like +all or ?all, which would allow any IP to send emails on your behalf. This defeats the purpose of SPF and exposes you to phishing or spam. Also, your domain will be highly prone to gaining a bad reputation, rupturing trust with recipients, and harming your brand’s credibility.
Don’t rely on SPF alone
SPF should be complemented with DKIM and DMARC for a more comprehensive email security strategy. DKIM uses cryptography to inform recipients if someone has changed or tampered with the email’s contents in transit. This is done using a pair of public and private keys that are matched at the recipients’ ends.
DMARC works by aligning SPF and DKIM records with the ‘From’ domain, ensuring that only authorized servers are used for sending emails from your domain. It also has a reporting feature that provides you with a log on unauthorized email activity. By specifying a policy (none, quarantine, or reject), you can instruct receiving servers on handling unauthorized messages.
Don’t exceed the 10 DNS lookup limit
SPF has a hard limit of 10 DNS lookups per record. Exceeding this can cause the SPF check to fail. Avoid using too many include mechanisms and nested lookups. If your SPF record has already exceeded this limit, use our automatic SPF flattening tool, which condenses the records, helping them stay within the limit.
Final thoughts
Overlooking email authentication will do you no good, especially now that phishing and spoofing are on the rise. So, get started with your email security drill today, and reach out to us for anything related to SPF flattening.