Sender Policy Frameworks (SPF) records are TXT records published on your domain's DNS server that allow email recipients to validate whether the sender is authorized to send email on behalf of the domain.
Maintaining SPF records can be tedious, so it's important to keep a few things in mind. In this guide, I'll explain the basic construction of SPF records and offer some SPF record management best practice tips.
What are SPF records used for?
SPF records are DNS records used for two purposes: to validate domain ownership and prevent email spoofing. They are published on public DNS services to specify the internal and external services that are authorized to send email on behalf of a domain.
SPF records are used for validating domain ownership and preventing email spoofing
SPF records are a great way to ensure that different services sending email from your domain are authorized to do so. SPF records allow administrators to specify which IP addresses and hostnames are authorized to send email on behalf of their domain.
When you receive email through an email service like Gmail, Yahoo, Mimecast, or Barracuda, SPF records published on the sending domain are evaluated to determine whether the sender is authorized to send email from the domain.
If an email arrives from a server hosted on the IP address 198.51.100.5 using the email address sender@example.com, the recipient server would evaluate the SPF record for example.com to determine whether 198.51.100.5 is an authorized sender for the example.com domain. If the SPF record for example.com is the one below:
v=spf1 mx ip4:192.0.2.0/24 -all
The sender's IP address in this example, 198.51.100.5, is not covered by the example.com's SPF record, so the SPF evaluation would result in a fail.
What are the rules for SPF records?
SPF records are published on a domain's public DNS service as TXT records. This allows recipient mail servers to look up the SPF record for the domain is receives messages from and evaluate the validity of the sender. When constructing SPF records, there are a few rules to be aware of, as defined in RFC 7208 - Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1.
SPF Versions
All SPF records begin with a specification of the SPF version being used. The current adopted version of SPF is version 1.
v=spf1
SPF evaluation and qualifiers
There are four qualifiers that can be used in an SPF record to specify how each entry in the record should be evaluated. Evaluating the SPF record results in a pass, fail, softfail, or neutral result if a match is found along side the qualifiers +, -, ~, or ?, respectively.
| Qualifier | Result if a match is found | Definition of result |
|---|---|---|
+ |
pass |
The sender is authorized to send from this domain |
- |
fail |
The sender is not authorized to send from this domain |
~ |
softfail |
The sender is probably not authorized to send from this domain |
? |
neutral |
The sender might be authorized to send from this domain (no assertion is being made) |
In addition to these SPF evaluation results, the following results can occur.
| Result | Definition of result |
|---|---|
none |
A valid domain could not be extracted from the message or there was no SPF record published for this domain |
temperror |
An error occurred (usually DNS) while validating. A later check may succeed |
permerror |
The SPF record for this domain could not be evaluated |
SPF mechanisms
Each entry in an SPF record uses SPF mechanisms to specify hosts that are either permitted or not permitted to send email on behalf of a domain. The SPF mechanisms are described below.
| Mechanism | Description | Example |
|---|---|---|
a |
Evaluation matches if the IP address of this domain and the sender are the same | a:example.com |
all |
When used as the rightmost mechanism, evaluation matches when no other mechanism matches. Use with the - qualifier to default to a fail result |
-all |
exists |
Used to construct a dynamic domain name expression to match on arbitrary domain names | exists:%{i}.spf.example.com |
include |
Evaluation matches if a recursive check on the specified domain's returns at least one match | include:spf.example.com |
ip4 |
Evaluation matches if the sender's address is contained within the specified IPv4 network | ip4:198.51.100.0/24 |
ip6 |
Evaluation matches if the sender's address is contained within the specified IPv6 network | ip6:2001:DB8::/32 |
mx |
Evaluation matches if the sender's IP address is in the domain's Mail Exchanger records |
Best practices for maintaining SPF records
Watch out for SPF record limits
To ensure email deliverability ,it is important that your SPF records be correctly constructed and error-free. The two most common errors administrators encounter with SPF records are the 255-character limit and the 10 DNS lookup limit.
SPF records are published as TXT records, but a single SPF record string must not exceed 255 characters per RFC 7208, Section 3.3. Keep your SPF records short and prefer including unchanging IP address blocks over long domain names.
There is a 10 DNS lookup limit on SPF records and this applies recursively to DNS records included by reference. If your SPF record contains an include:spf.example.com mechanism, that requires at least one DNS lookup. If the record published at spf.example.com includes another record, for example spf2.example.com, then a recursive DNS lookup occurs. This quick quickly add up and cause you to exceed 10 lookups in your SPF record without your record changing.
To get around these limitations, keep your SPF records short and prefer including unchanging IP address blocks over long domain names. Check your SPF record regularly to identify any changes in recursive DNS lookups that would cause you to exceed the 10 lookup limit. Most importantly, always validate your SPF record before publishing it to avoid running into issues with your email.
How to validate SPF record changes before publishing them
When validating your SPF record, it is important to consider the following:
- Does my SPF record follow all of the syntax rules for SPF records?
- Are all the mechanisms used in my SPF record correctly structured?
- Does my SPF record correctly authorize or fail to authorize certain email services?
- Is my record compliant with the 255-character lookup limit and the 10 DNS lookup limit?
NetworkCalc's SPF Lookup Tool can help validate your SPF records on a schedule or before you publish any changes. Try the tool below:
SPF Checker
Use the SPF Lookup Tool to find SPF records published on your domain and check their validity against SPF record limits:
Before saving changes to your SPF record, it is a good idea to validate your new record. DNS records can take hours to propagate across the Internet, so it is good to catch issues before publishing them. Use the SPF Syntax Validator to check the validity of your SPF record updates before publishing them:
Summary
If you are sending emails from your domain using different services, SPF records provide a way to authenticate those services and let email clients know who is authorized to send email from your domain. Setting up SPF records can be tricky, though - there are limits on how long they can be (255 characters) and how many DNS lookups that can contain (10 recursive DNS lookups).
That's where NetworkCalc Pro comes in - we'll alert you when your SPF record is too long contains too many recursive DNS lookups, so you can fix the problem before your emails start getting blocked. We'll also send you scheduled daily, weekly, or monthly reports on the health of your domain so you can identify issues early and correct them. The reports also serve as a backup of your DNS records, giving you a history of your records before any changes were made.