SPF delegation is a one-time setup where a domain owner gives control of their SPF record to an external email server or a third-party service to send emails on behalf of the domain. To do this, you have to make some changes to the current SPF, and the revised record has to be published by your DNS manager or hosting company.
SPF delegation is an important aspect of email authentication. It ensures genuine emails from your domain land in the inboxes of the desired recipients while significantly reducing the risks of spoofing and phishing attacks.
Let’s explore this topic in detail.
SPF Delegation Configuration
You have to add the IP address of the server that hosts your website. This configuration doesn’t sound problematic unless the hosting server goes down. Then, all the emails sent to that domain will bounce back to senders, impacting reputation and communications at multiple levels.
SPF delegation works fine in accordance with other email authentication protocols. Sometimes, DKIM uses SPF delegation, allowing authorized entities to send emails from addresses that don’t directly belong to them, like their ISPs or company’s mail servers. If these messages are not sent using SPF delegation, they are highly likely to get marked as spam or bounce back. This is because there will be discrepancies between the sender’s email address and the From header in their message.
Image sourced from cloudns.net
To give control of your SPF record, you have to specify its IP address in a TXT record at the start of your DNS zone file. So, when someone sends messages to one of your subdomains, their messages will be subjected to an SPF softfail (~all) and not an SPF hardfail (-all) since they aren’t sending them directly to the right place.
Setting Up Domain for SPF Delegation
Just follow these steps very carefully, and you will be able to set your domain for SPF delegation-
- Click on the menu bar in the DNS manager.
- Choose the domain that needs to be updated.
- Make changes to the SPF record in the SPF delegation overview:
- a record: Add the ‘a’ record, fill in 32 in the ipv4 CIDR column, and 128 in the ipv6 CIDR column.
- mx record: Add the ‘mx’ record, fill in 32 in the ipv4 CIDR column, and 128 in the ipv6 CIDR column.
- include: Put in all the necessary ‘include’ statements. Ensure you add only the values included.
- ipv4: Enlist all the ipv4 addresses. If the IPv4 entry specifies a range (e.g., /22), enter 22 in the ‘CIDR’ column. Enter 32 in the ‘CIDR’ column if no range is listed.
- ipv6: Enlist all the ipv6 addresses. If the IPv6 entry specifies a range (e.g., /36), enter 36 in the ‘CIDR’ column. Enter 128 in the ‘CIDR’ column if no range is listed.
- Policy: Set either a softfail (~all) or a hardfail (-all). For beginners and domains with heavy email traffic, setting the SPF records to softfail is best.
- Once done, click on save and publish the record on DNS.
- At the bottom of the page, a DNS entry will be generated. This entry needs to be published in your domain’s DNS record.
- After publishing the DNS entry, your SPF record will be hosted and ready to be managed using the DNS manager without an external DNS manager.
We suggest that you use SPF testing tools to ensure your SPF record is configured properly and that emails are being authenticated adequately.
Also, take care of these 4 points-
Syntax
Check that all the syntaxes are correct. Otherwise, your SPF record will be erroneous, causing problems in email delivery and authentication.
Length Limits
Be aware that DNS records have length limits, and SPF records should not exceed 255 characters. Use multiple records if necessary.
Order of Entries
The order of ‘include’ statements generally don’t matter, but best practices recommend listing them logically.
Choose a Trusted Service Provider
Delegating your SPF record management to a third party can make your domain more vulnerable if the third party is compromised. Therefore, it’s crucial to choose a reputable provider with a proven security and reliability record.
Importance of SPF Delegation
Domain owners show skepticism about SPF delegation, and if you are also dubious, here are 4 reasons that will hopefully convince you.
1. Your SPF Record Stays Within the Lookup Limit
To avoid overburdening the authentication process’s resources, there is a maximum limit of 10 DNS lookups. While it’s still easier for small organizations to stay within this limit, medium and large organizations reach it quickly, invalidating their SPF records. But SPF delegation allows for more than 10 lookups, and the concerned service evaluates all the sources officially allowed to send emails on behalf of your brand, including nested lookups. Also, DNS delegation eliminates duplicate SPF entries, condensing your record even further.
2. Reduced IP Entries
The number of IP entries linked with your domain reduces as SPF delegation lets other domains send emails on behalf of your domain. This ultimately limits the chances of email phishing and spoofing.
3. Keeps Your Domain Compliant
Regulations like GDPR, CAN-SPAM, and others require businesses to implement measures to prevent unauthorized use of their domains. Proper SPF records demonstrate compliance with these regulations.
4. Legal Protection
Implementing SPF records shows that you are taking proactive steps to secure your domain and email communications. This can be crucial in legal disputes where proof of due diligence is required.
SPF Delegation to AutoSPF
When you delegate your SPF record to AutoSPF, we host and manage it, allowing for more than 10 lookups and preventing duplicate entries. If you are not sure if the SPF delegation is necessary for your domain, then consult with us. We will help you through each step.