What is SPF? (Sender Policy Framework)


The Basics

What is SPF?

SPF stands for Sender Policy Framework.

It is a globally supported system that helps to protect domain names and their owners from being spoofed by spammers.

It does this by allowing a domain name owner to publish a policy which declares where emails can originate from.

It doesn't prevent spoofed emails from being sent, but it allows incoming email providers to verify the source of an email and take appropriate action.

How does it work?

  • The domain name owner adds an SPF record to their domain name's DNS records
  • The SPF record declares all the IP addresses that are permitted to send email for that domain name
  • When an email provider receives an email, they will lookup:
    • The IP address that the email came from
    • The domain name that the email came from
    • If that domain name has an SPF record
  • If the domain name does not have an SPF record, the message will be delivered as normal
  • If the domain name does have an SPF record, they will check if the IP address is listed in the SPF record
  • If the IP address is not listed in the SPF record, the message will be rejected or filtered
  • If the IP address is listed in the SPF record, the message will be delivered as normal

Is SPF mandatory?

No, there is no mandatory requirement that forces you to add an SPF record to your domain name but there are many advantages:

  • It protects your domain name from spoofing and phishing
  • Having an SPF record improves the deliverability of your emails
  • Some email providers require you to have an SPF record before they will accept any email from your domain name.
  • You need to have an SPF record setup if you want to use similar systems such as DKIM signing and DMARC

How do I setup SPF for my domain name?

Step 1 - Sources of email

The first thing you need to do is determine all the different sources of email for your domain name.

You only need to include the IP addresses of sources that actually deliver the email such as an SMTP server, not the ones that only create messages such as your computer or mobile device.

Your outgoing email provider or server, you may be using multiple services
Your website host because you would normally send emails from your website (i.e. contact forms)
Any third party services that you use your domain name with
Your broadband, cable or mobile connection IP address
Your computer or mobile devices IP address

Step 2 - Generate your SPF record

Once you have determined all sources of email for your domain name, you will need to workout what needs to be added to your SPF record to authorize those sources.

We would recommend that you contact each provider that you have determined as a source of email for your domain name and ask them what you should add to your SPF record to authorize their network.

For details on the exact SPF record please see our guide to SPF syntax below.

Step 3 - Add the SPF record

The SPF record is stored in the DNS records of your domain name as a 'TXT' type DNS record:

example.com IN TXT "v=spf1 a mx include:authsmtp.com ~all"

You should only ever have one SPF record per domain name. If you are unsure how to edit the DNS records for your domain name, please contact your domain name provider.

How do I setup my SPF for AuthSMTP?

If you have an existing SPF record setup, you simply need to add include:authsmtp.com to it.

A typical SPF record that includes our service would be:

"v=spf1 a mx include:authsmtp.com ~all"

Standard SPF Syntax

Start With…

All SPF records must start with:

v=spf1

This tells an SPF checker that it is an SPF record and it is using version 1 of the SPF standard, there is currently only 1 version.

End With…

All SPF records must end with the ‘all’ mechanism, it defines what to do with all other sources of email not defined within the SPF record.

The ‘all’ mechanism must be prefixed with one of the following qualifiers:

Qualifier Type Explanation Recommended
-all StrictFail This tells the SPF checkers that they should strictly enforce the mechanisms set in your SPF record. If a message comes from a source not defined in the SPF record, it should be rejected or at least filtered to the spam folder.
~all SoftFail This tells the SPF checkers that they should enforce the mechanisms set in your SPF record but only as an advisory. If a message comes from a source not defined in the SPF record is received, it should be accepted but filtered to the spam folder or marked as possible spam.
?all Neutral This tells the SPF checkers the SPF record is purely advisory and should not be enforced
+all Pass This tells the SPF checkers that emails that originate from sources not defined in the SPF record should be accepted

Inbetween…

Between the start ‘v=spf1’ mechanism and the end ‘all’ mechanism you need to include all sources of email for your domain name. You can specify sources using IP addresses, hostnames or other SPF records.

For each source of email, you need to specify it with the correct mechanism:

Mechanism Example Use Explanation
a a The a mechanism alone allows any (A record) hostname name on your domain, for example if you had secure.example.com pointing to 203.0.113.1.
a a:www.example.net The a mechanism with a named hostname allows only the IP address of that hostname, for example if you had www.example.net pointing to 203.0.113.1
mx mx The mx mechanism alone allows any of the MX records for your domain name to send email.
mx mx:example.com The mx mechanism with a named domain name allows any of the MX records for that domain name to send email.
ip4 ip4:203.0.113.0, ip4:203.0.113.0/32 The ip4 mechanism allows you to specify either a single IPv4 address or CIDR range.
ip6 ip6:2001:db8:0:0:0:0:0:0, ip6:2001:DB8::/32 The ip6 mechanism allows you to specify either a single IPv6 address or CIDR range.
include include:authsmtp.com The include mechanism allows you 'include' the SPF record of another domain name in your own SPF record. This option is most commonly used by email providers such as AuthSMTP.
ptr ptr The ptr mechanism alone allows any IP address with a reverse DNS hostname using your domain name to send email.
The use of this mechanism is not recommended.
ptr ptr:example.net The ptr mechanism with a named domain name allows any IP address with a reverse DNS hostname using the named domain name to send email.
The use of this mechanism is not recommended.
exists exists:example.net The exist mechanism allows the named hostnames IP address to send email, the important difference with this mechanism is that if the domain name exists it will pass, if it does not exist it will not be considered a void lookup which is not permitted.
The use of this mechanism is for advanced users, not usually recommended.
redirect redirect=example.com The redirect mechanism redirects the SPF checker to use the SPF record of another domain name. If the redirect mechanism used, all other mechanisms in the record will be ignored.
The use of this mechanism is for advanced users, not usually recommended.

Important SPF Rules

Some of the most important rules to note regarding SPF records:

  • You cannot use CNAME records in SPF records
  • Each domain name is only permitted a single SPF record
  • You should not use any hostnames that do not exist or resolve
  • There cannot be more than 10 DNS lookups involved in an SPF check, this includes any recursive lookups
  • SPF records should be setup as 'TXT' type DNS records, the deprecated 'SPF' type DNS record should not be used

Advanced

There are additional, more advanced features and specific rules not covered by this article but you can find all of this information in the official documentation of the SPF standard - RFC 7208.