What is SPF? (Sender Policy Framework)
Quick Setup
If you are already familiar with SPF records and you just need to add AuthSMTP to your SPF - please use:
include:authsmtp.com
The Basics
What is SPF?
SPF stands for Sender Policy Framework.
It is a globally supported system that helps to protect domain names and their owners from being spoofed by spammers.
It does this by allowing a domain name owner to publish a policy which declares where emails can originate from.
It doesn't prevent spoofed emails from being sent, but it allows incoming email providers to verify the source of an email and take appropriate action.
How does it work?
- The domain name owner adds an SPF record to their domain name's DNS records
- The SPF record declares all the IP addresses that are permitted to send email for that domain name
- When an email provider receives an email, they will lookup:
- The IP address that the email came from
- The domain name that the email came from
- If that domain name has an SPF record
- If the domain name does not have an SPF record, the message will be delivered as normal
- If the domain name does have an SPF record, they will check if the IP address is listed in the SPF record
- If the IP address is not listed in the SPF record, the message will be rejected or filtered
- If the IP address is listed in the SPF record, the message will be delivered as normal
Is SPF mandatory?
Yes, many inbound email providers now require that you have a valid SPF record setup but there are also many advantages:
- It protects your domain name from spoofing and phishing
- Having an SPF record improves the deliverability of your emails
- Some email providers require you to have an SPF record before they will accept any email from your domain name.
- You will also need to have an SPF record setup if you want to use similar systems such as DKIM signing and DMARC
How do I setup SPF for my domain name?
Step 1 - Sources of email
The first thing you need to do is determine all the different sources of email for your domain name.
You only need to include the IP addresses of sources that actually deliver the email such as an SMTP server, not the ones that only create messages such as your computer or mobile device.
Your outgoing email provider or server, you may be using multiple services | |
Your website host because you would normally send emails from your website (i.e. contact forms) | |
Any third party services that you use your domain name with | |
Your broadband, cable or mobile connection IP address | |
Your computer or mobile devices IP address |
Step 2 - Generate your SPF record
Once you have determined all sources of email for your domain name, you will need to workout what needs to be added to your SPF record to authorize those sources.
We would recommend that you contact each provider that you have determined as a source of email for your domain name and ask them what you should add to your SPF record to authorize their network.
For details on the exact SPF record please see our guide to SPF syntax below.
Step 3 - Add the SPF record
The SPF record is stored in the DNS records of your domain name as a 'TXT' type DNS record:
example.com IN TXT "v=spf1 a mx include:authsmtp.com ~all"
You should only ever have one SPF record per domain name. If you are unsure how to edit the DNS records for your domain name, please contact your domain name provider.
How do I setup my SPF for AuthSMTP?
If you have an existing SPF record setup, you simply need to add include:authsmtp.com to it.
A typical SPF record that includes our service would be:
"v=spf1 a mx include:authsmtp.com ~all"
Standard SPF Syntax
Start With…
All SPF records must start with:
v=spf1
This tells an SPF checker that it is an SPF record and it is using version 1 of the SPF standard, there is currently only 1 version.
End With…
All SPF records must end with the ‘all’ mechanism, it defines what to do with all other sources of email not defined within the SPF record.
The ‘all’ mechanism must be prefixed with one of the following qualifiers:
Qualifier | Type | Explanation | Recommended |
---|---|---|---|
-all | StrictFail | This tells the SPF checkers that they should strictly enforce the mechanisms set in your SPF record. If a message comes from a source not defined in the SPF record, it should be rejected or at least filtered to the spam folder. | |
~all | SoftFail | This tells the SPF checkers that they should enforce the mechanisms set in your SPF record but only as an advisory. If a message comes from a source not defined in the SPF record is received, it should be accepted but filtered to the spam folder or marked as possible spam. | |
?all | Neutral | This tells the SPF checkers the SPF record is purely advisory and should not be enforced | |
+all | Pass | This tells the SPF checkers that emails that originate from sources not defined in the SPF record should be accepted |
Inbetween…
Between the start ‘v=spf1’ mechanism and the end ‘all’ mechanism you need to include all sources of email for your domain name. You can specify sources using IP addresses, hostnames or other SPF records.
For each source of email, you need to specify it with the correct mechanism:
Mechanism | Example Use | Explanation |
---|---|---|
a | a | The a mechanism alone allows any (A record) hostname name on your domain, for example if you had secure.example.com pointing to 203.0.113.1. |
a | a:www.example.net | The a mechanism with a named hostname allows only the IP address of that hostname, for example if you had www.example.net pointing to 203.0.113.1 |
mx | mx | The mx mechanism alone allows any of the MX records for your domain name to send email. |
mx | mx:example.com | The mx mechanism with a named domain name allows any of the MX records for that domain name to send email. |
ip4 | ip4:203.0.113.0, ip4:203.0.113.0/32 | The ip4 mechanism allows you to specify either a single IPv4 address or CIDR range. |
ip6 | ip6:2001:db8:0:0:0:0:0:0, ip6:2001:DB8::/32 | The ip6 mechanism allows you to specify either a single IPv6 address or CIDR range. |
include | include:authsmtp.com | The include mechanism allows you 'include' the SPF record of another domain name in your own SPF record. This option is most commonly used by email providers such as AuthSMTP. |
ptr | ptr | The ptr mechanism alone allows any IP address with a reverse DNS hostname using your domain name to send email. The use of this mechanism is not recommended. |
ptr | ptr:example.net | The ptr mechanism with a named domain name allows any IP address with a reverse DNS hostname using the named domain name to send email. The use of this mechanism is not recommended. |
exists | exists:example.net | The exist mechanism allows the named hostnames IP address to send email, the important difference with this mechanism is that if the domain name exists it will pass, if it does not exist it will not be considered a void lookup which is not permitted. The use of this mechanism is for advanced users, not usually recommended. |
redirect | redirect=example.com | The redirect mechanism redirects the SPF checker to use the SPF record of another domain name. If the redirect mechanism used, all other mechanisms in the record will be ignored. The use of this mechanism is for advanced users, not usually recommended. |
Important SPF Rules
Some of the most important rules to note regarding SPF records:
- You cannot use CNAME records in SPF records
- Each domain name is only permitted a single SPF record
- You should not use any hostnames that do not exist or resolve
- There cannot be more than 10 DNS lookups involved in an SPF check, this includes any recursive lookups
- SPF records should be setup as 'TXT' type DNS records, the deprecated 'SPF' type DNS record should not be used
Advanced
There are additional, more advanced features and specific rules not covered by this article but you can find all of this information in the official documentation of the SPF standard - RFC 7208.