What is SPF?
Sender Policy Framework (SPF) allows domain owners to specify legitimate email origins in an attempt to combat spam and phishing emails. an SPF record should list each mail server or IP which you give permission to send emails on behalf of your domain and how to handle emails from sources not permitted.
What does SPF actually do?
SPF Record answers the following 2 questions:
- Who can send an email from my domain.
- You need to list every source of where an email can originate. This could be your website, your mail server, email marketing, ISP etc, if its not on the list, assume it will be blocked.
- What happens to emails which aren’t listed above.
- 1 if 3 things can happen:
- Allow emails from all servers.
- Flag an email if its not in the approved list.
- Block an email if its not in the approved list.
- 1 if 3 things can happen:
Creating an SPF Record
An SPF record is split into multiple parts:
v=spf1
: Sets the SPF version that is being used.
include:
: lists all authorized mail servers
-all
: Indicated any server not listed in the include: section is not permitted to send emails for this domain and action will be taken to delete or mark the message as spam.
Here is an example of an SPF record: v=spf1 include:spf.aoitcloud.com mx a -all
In the example above we have added a
and mx
into the record which will authorise the servers matching our MX and A records by default. This should be your default mail server and website.
You can add more than 1 domain or IP to the SPF to allow them to send emails for your domain, to do this our record would look like:
v=spf1 include:spf.aoitcloud.com include:111.111.111.111 mx a -all
Understanding the All setting
The all setting is an important marker for the SPF record and instructs the receiving mail server how to handle the message. This can be expressed in 3 different ways:
-all
: Any server not listed is not authorised to send emails
~all
: If an email is received from a server which isn’t listed, mark it as a soft fail. This will then be processed by the recipients mail server according to their own policy.
+all
: This allows any server to send emails from your domain.
NOTE: The last option should never be used in any instance
Adding an SPF record to your DNS
To add your newly created SPF record you will need to login to your DNS provider, this will probably be your web hosting provider unless you used an external service like Microsoft 365 or Cloudflare etc.
Create a TXT Record
Name: @ or your domain without www.
Type: TXT
TTL: 3600
Value: v=spf1 include:yourdomain.com mx a -all