SPF stands for Sender Policy Framework— an email authentication protocol that allows only the emails sent by authorized people to get delivered to the recipient’s inbox. Deploying SPF, DKIM, and DMARC prevents your organization from email-based phishing, spoofing, and BEC attacks.
Now, an SPF record is a TXT (text) record on which the entire process of email authentication via SPF relies. It includes a list of IP addresses and mail servers officially authorized to send emails from your domain.
You think of an SPF record as a guest list to an invite-only party; if a sending source is not on the list (the SPF record), the door attendant (the recipient’s server) will mark their emails as spam or reject them.
A TXT SPF record specifies which mail servers are authorized to send emails for your domain, and automated SPF flattening simplifies and optimizes this record to ensure reliable email delivery and prevent spoofing.
How does a mail server check an SPF record?
When a mail server checks an SPF record, it follows a simple process:
- Server One sends an email. Its IP address is 192.0.2.0, and the email uses email@returnpath.com as the return-path. (The return-path is not the same as the “from” address. It’s mainly used to handle bounced emails.)
- The receiving mail server (Server Two) looks at the domain in the return-path and searches for its SPF record.
- If Server Two finds the SPF record, it checks whether Server One’s IP address is listed there as an autIf the IP address is found, the SPF check passes, and the email is accepted.
- If it’s not listed, the SPF check fails, and the email may be rejected or sent to the spam folder.
SPF record syntax
General example of an SPF record- v=spf1 mechanism1 mechanism2 … mechanismN qualifier
Let’s break down the synatx in simple terms:
- v=spf1: This shows the version of SPF being used (it’s always spf1).
-
Mechanisms: These define which mail servers are allowed. Common ones are:
- IP4: allows an IPv4 address (e.g., ip4:192.0.2.0/24)
- IP6: allows an IPv6 address
- include: allows another domain’s SPF record to be used (e.g., include:_spf.google.com)
- a: allows the domain’s A record IP
- mx: allows the domain’s MX record IPs
- all: matches everything (usually at the end)
-
Qualifiers: These decide what happens if an IP matches or not:
- + (pass): allowed
- – (fail): not allowed
- ~ (soft fail): probably not allowed, but not strictly blocked
- ? (neutral): no specific policy
Example of a complete SPF record
v=spf1 ip4:192.0.2.0/24 include:_spf.google.com -allThis example indicates that-
- Emails can be sent from IPs in 192.0.2.0/24 or from Google’s mail servers.
- All others (-all) are not allowed to send emails using this domain.
Importance of SPF records
An SPF record is important because it helps protect your domain from being used by spammers or hackers. It tells receiving mail servers which servers are allowed to send emails on your behalf. When someone sends an email using your domain, the receiving server checks the SPF record to confirm if it is genuine. If the email comes from an unauthorized source, it is marked as spam or rejected. This reduces the chances of phishing and spoofing attacks. Having an SPF record also improves your email deliverability and helps build trust with your recipients.
