An SPF record (Sender Policy Framework record) is the core of an SPF implementation in which the SPF policy is defined. An SPF record is published in the DNS (Domain Name Service) and it contains a list of authorized email servers which can send email on behalf of your domain name. If an email sender isn’t listed in the record section and does send email on behalf of your domain this email may be considered as not legitimate and can be rejected by the email receiver.
Having a properly set up SPF record will improve email deliverability and will help to protect your domain against malicious emails sent on behalf of your domain. Though, in practice these goals are achieved more effectively if you use an SPF record together with DMARC. DMARC and DMARC Analyzer use both SPF and DKIM. Together they provide synergy and the best result for email security and deliverability.
| validate your SPF record using the SPF Record Checker |
An SPF record consists of several parts. It should always start with a version number and should be authorized by one or more mechanisms which define valid senders.
v=spf1
This part defines the record as SPF. An SPF record has to start with this section. These used to be a second version of SPF (SenderID) which was created by Microsoft, but this was discontinued.
Mechanisms
An SPF record can contain multiple mechanisms.
a
a:somedomain.com
a/prefix
a:somedomain.com/prefix
Define the DNS A record of the current (or specified) domain as a valid sending source.
mx
mx:somedomain.com
mx/prefix
mx:somedomain.com/prefix
Define the DNS MX record of the current (or specified) domain as a valid sending source.
ptr
ptr:domain
Define the reverse hostname of the sending IP address as a valid sending source. (Not recommended)
ip4:ip4-address
ip4:ip4-address/prefix
Define this IPv4 address (or address range) as valid sending sources.
ip6:ip6-address
ip6:ip6-address/prefix
Define this IPv6 address (or address range) as valid sending sources.
include:domain.com
Include the SPF record for this domain as valid sending sources.
exists:domain
Check existence of an A record for a provided domain. You can use macros in this context to be able to do a ‘dynamic’ lookup of such a record.
all
You can define a policy for ‘all other sources’ using the ‘all’ mechanism. You should place this at the end of your SPF record providing a ‘default’ for other sources. Use a qualifier to define the policy you want to apply.
redirect=domain.com
When required, you can redirect the SPF record to another domain. There can only be one modifier in each SPF record. This cannot be combined with an ‘all’ mechanism as the redirect will only be followed if none of the mechanisms match.
Maximum number of lookups
When using SPF you need to take note of a limitation in this technique. The number of DNS lookups which are allowed to take place is limited to 10.
A DNS lookup is done when you query for one of these mechanisms:
Please note that the ‘nested lookups’ will also count. If an ‘included’ domain does an A and MX lookup, these will both count as lookups for your domain as well.
| all information about the Sender Policy Framework (SPF) |
| learn how to create an SPF record |
| learn how to validate an SPF record |
| validate your SPF record using the SPF Record Checker |
