Home
The Mailjet Blog
Deliverability
Sender Policy Framework (SPF): A complete guide to creating your record
Deliverability
How to handle SPF and the 4 steps to create an SPF record
Did you know that hackers can easily use your domain to spam people? In this post, we’ll show you how to secure your domain using a Sender Policy Framework (SPF).
PUBLISHED ON
Do you find dealing with emails going to spam exhausting? We get it - there are just too many things to keep under control: email content, sender reputation, deliverability best practices... And it all becomes even more stressful when you hear about Gmail and Yahoo's new requirements for bulk senders starting 2024.
Email authentication plays a big role in email deliverability, and both SPF and DKIM will be a non-negotiables for senders trying to reach Gmail and Yahoo users in 2024.
This article explains how Sender Policy Framework (SPF) works with email, why you should use it, and what happens when you do. But before we get into that, we should tell you about SPF records and how they can make all the difference in your ISP standing and as an online email marketer.
Table of content
Elements of an SPF record
Other SPF modifiers
1. Log in
2. Create a TXT record
3. Establish rules
4. Have patience
What is SPF?
SPF is the authentication rule that takes an email sender’s IP address and makes sure it’s on the list of IP addresses allowed to send mail within a specific domain. In other words, SPF makes sure that the emails you receive through your email service provider (ISP) like Microsoft Outlook or Gmail are coming from a legitimate IP address.
In combination with other email authentication protocols like DKIM and DMARC records, SPF optimizes email deliverability by helping to protect your email sending from spoofing attempts (sending from a forged sender address). The adoption of SPF is constantly growing thanks to the support of adopters who want to protect each other from fake or dangerous emails.
But how does this security measure help keep the receiving mail server and your domain safe?
URGENT: Google and Yahoo recently announced that as of February 2024, DKIM and SPF authentication will be mandatory for bulk email senders. These senders will also need to have DMARC set up at p=none policy. For more information about how to implement DKIM and DMARC and comply with the upcoming mandates, check out our articles How to create, configure, and set up DKIM in 3 easy steps and What is DMARC and how it works.
What is an SPF record?
SPF records keep track of all the authorized sources that can send email messages from your domain name. SPF works because domain administrators specify which hosts are allowed to send emails from that domain by creating an SPF record.
If SPF records didn’t exist, bad actors who spoof your domain name by sending phishing emails “from you” could arrive in your subscriber’s inboxes and cause damage to your business and reputation. Essentially, SPF records are like a spam filter that keeps dangerous emails out of your subscriber’s inbox.
But in the end, an SPF entry does not prevent a fraudster or spoofer from sending emails on your domain's behalf. However, it will make it very difficult for that fraud traffic from ever reaching recipients.
How do SPF records work
Sender Policy Frameworks communicate with the receiving email server and question the Simple Mail Transfer Protocol (SMTP) to verify the Return-Path value in each email’s header. When an SPF record is in place, it can scan emails to find an SPF TXT record in the sender’s Domain Name System (DNS). This verifies what IP address the email came from. Then, the SPF record can compare its list of approved senders against a new email’s IP on behalf of your domain. If that IP isn’t on the SPF record, the check fails, and the email gets flagged as non-authenticated.
However, every inbox provider works differently. And while some receiving servers will bounce a non-authenticated email, others may act differently.
With non-authenticated emails, some ISPs will:
Move it to the spam folder.
Move it to a "quarantine zone" to be reviewed by a postmaster.
Append a "SPAM" word to the email subject line for the reader to review.
Not do anything, even if the SPF check fails.
We know that’s a ton of jargon to digest, and we hope you don’t feel too lost. But if you've taken a beat, and think you've got the hang of how SPF alters email delivery, let's get into how to visually confirm that a DNS has an SPF record in place.
What does an SPF record look like?
First, let’s quickly discuss the internet's phone book known as the Domain Name System (DNS), which organizes and recognizes domains. When someone types a domain name or URL into the search bar of their web browser, the DNS scans the IP address where that domain name or URL is located.
An SPF record is the extra layer that adds email security. It verifies the IP address sent from your domain and makes sure that the sender is protected from email spoofing and spammers.
In their finest details, SPF records are lines of text written with specific characters that denote detailed information, enabling them to do their job. These text modules can be sub-categorized into two groups, known as mechanisms and qualifiers.
Mechanisms describe which hosts have been indicated as approved email senders for a given domain.
Qualifiers indicate which action should be performed.
When an email triggers an SPF record mechanism, the network operator has been sure to include one of four qualifiers to indicate what action should be taken. Reading the text in an SPF, you can recognize the qualifier as the prefix to the mechanism. The following table introduces the four types of qualifiers and explains how they work:
Symbol | Qualifier | Result | Action |
---|---|---|---|
Symbol | |||
+ | Pass | Mail can be delivered | Accept |
Qualifier | |||
- | Fail | Mail is not deliverable | Reject |
Result | |||
~ | Softfail | The SPF doesn’t strongly deny the host, but it can’t pass either | Accept but tag as SPF softfail |
Action | |||
? | Neutral | The mail can either be delivered or denied - the recipient server decides what to do with it | Accept |
Elements of an SPF record
We hope you’re warmed up because we’ll jump into an example of the TXT of an SPF record you might find on a DNS:
Before you try and read that phonetically (vespfip?), let’s get into how to categorize that line of text into digestible pieces:
v=spf1:
v=spf1
is the standard way that most SPF record lines of TXT begin. An SPF record starts with v=
, telling the readers and the DNS which version of the SPF is being used. When first implementing an SPF, the network’s authority should always use spf1
, the most frequently used SPF between email interactions.
a
The letter a
precedes an IP address that the receiving server is trying to match with received emails. When the receiving server finds a
or aaaa
in front of the sender’s domain, it flags the email as a match.
ip4
This tells the DNS that the following IP address is authorized to send emails.
12.34.56.78/28
This is the server allowed to send emails. Note the suffix /28
, which tells the DNS of the network segments that are also authorized to send emails to the recipient.
A company might use a suffix like this one to shorten the length of the text used for their SPF. If you’re thinking that doesn’t look short at all, consider how overwhelming the TXT record would be if it included every IP segment for a mega-corporation? Trust us, a suffix like this is the lesser evil.
include
Pun intended: By including this element, your SPF record will allow another server to send emails to another internet domain. An example of this would be an email marketing server.
~
Tilde is the name for that squiggly line in front of the word “all.” And for those of you keeping track at home, the tilde was on that chart above when we explained how SPF qualifiers work.
Since we know that ~
means softfail, all IP addresses not flagged by the SPF can be sent or received.
This SPF record would allow emails sent from 12.34.56.78/28
and marketingserver.com
to pass through and block or softfail any email coming from anywhere else.
Other SPF modifiers
MX
A Mail Exchange, or MX, tells the DNS to which recipients’ emails should be sent. With MX records, the DNS can operate according to the standard Simple Mail Transfer Protocol (SMTP).
By adding MX to your SPF record, you can update your DNS without having to completely rewrite your SPF record.
Here is an example using a piece of the SPF record from above:
v=spf1 a ip4:12.34.56.78/28 MX:example.com ~all
Exists
“Exists” double-checks to see if a record of a specified domain exists. If it does, then it passes the SPF record. This is yet another element that confirms whether a sender’s email is being sent from an IP address that your domain recognizes.
For example:
v=spf1 MX -exists:reallygoodart ~all
How to check if you have an SPF email record
You’ve probably gotten the hang of SPF records and how they work. But before we send you to ask your IT department to create this domain protection TXT, we’ll tell you how to do an SPF check to see whether or not you have one in place.
This step is easy because all you need is to log into the DNS records server your or your company’s email uses and look for a TXT record. Or even simpler: use a quick DNS checker tool to look up your domain if you don't have review/edit access to your domain DNS. It should start how most SPF record lines of TXT begin, which you’ll remember is v=spf1
.
If you don’t have an SPF record set up, follow the steps below, and your sending activity will be that much safer.
Four steps to create an SPF record
Setting up an SPF record can be simple once you have the correct elements, but you’ll need to collect a few things first. We’re talking about the hosting provider or IP address that acts as your mail server and a list of the other authorized servers. You’ll also need the login information for your DNS.
1. Log in
Open your internet browser and log into your DNS server.
2. Create a TXT record
Use the elements we listed above and draft a TXT record.
3. Establish rules
An SPF record is there to generate results. So outline what protocols you want to establish and type out the corresponding syntax. This way, your DNS will know which qualifiers to look for and what to do when the SPF finds emails from authorized or unauthorized IP addresses.
4. Have patience
Once you’re ready to hit save, remember that it takes some time for your new SPF record to start doing its thing, sometimes up to 48 hours.
Wrapping up
Hopefully, you feel comfortable with SPF records and understand why you should use them. However, we want to mention that despite being an effective email security technique, SPF records shouldn’t be your only safety net. After all, they have limitations, such as not automatically including subdomains or having a restricted character count you can use in their TXT.
Once you confirm that you have an SPF record or log in and write the TXT yourself, you should consider setting up DKIM and DMARC records. Now get out there and keep those fraudsters at bay. And if you have questions about this or the rest of your email marketing needs, Mailjet would love to help you out.
Email deliverability services: Getting you to the inbox
Landing in the inbox is a challenge: 21% of legitimate emails are either lost or marked as spam. Improving deliverability is a crucial factor in successful email campaigns. Our Deliverability Experts are here to help you reach the inbox and get the most out of our worldwide relationships with mailbox providers.