Understanding DNS SPF Record with Examples
Updated: Sep 25
An SPF (Sender Policy Framework) record is a type of TXT record in our DNS zone file. SPF records help identify which mail servers are permitted to send email on behalf of our domain. Adding an SPF record can help detect and prevent spammers from sending email messages with forged From addresses on our domain.
Purpose of SPF record
SPF is an industry-standard email authentication method. It’s an effective way to help protect our domain from spoofing, and to help prevent our messages from being marked as spam. So we should always set up SPF for our organization.
The SPF is an email authentication technique that is used against email spoofing. SPF records help specify which mail servers are permitted to send email on behalf of our domain.
Then, when incoming mail servers receive email messages from our domain name, they compare the SPF record to the outgoing mail server information. If the information doesn't match, they identify the email message as unauthorized, and will generally filter it as spam or reject it.
The SPF protocol is used as one of the standard methods to fight against spam and is also used in the DMARC specification.
Example of SPF record
Authorizes these email senders for our domain
v=spf1 include:_spf.google.com ~all
v=spf1 ip4:192.168.0.0/16 include:_spf.google.com ~all
Any server with an IP address between 192.168.0.0 and 192.168.255.255 Google Workspace
v=spf1 ip4:192.168.0.0/16 include:_spf.google.com include:sendourmail.com ~all
Servers between 192.168.0.0 and 192.168.255.255 Google Workspace Third-party service Sendourmail
How to create our SPF record?
Domains can have one SPF record. However, the SPF record for a domain can specify multiple servers and third parties that are allowed to send mail for the domain.
v=spf1 ip4:188.8.131.52 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e
Start with the SPF version, this part defines the record as SPF. An SPF record should always start with the version number v=spf1 (version 1) this tag defines the record as SPF. There used to be a second version of SPF (called: SenderID), but this was discontinued.
follow with all IP addresses that are authorized to send email on our behalf. For example: v=spf1 ip4:184.108.40.206 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e
include an include tag for every third-party organization that is used to send email on our behalf e.g. include:thirdpartydomain.com. This tag indicates that this particular third party is authorized to send email on behalf of our domain. We need to consult with the third party to learn which domain to use as a value for the ‘include’ statement.
end our record with an ~all or -all tag. The all tag is an important part of the SPF record as it indicates what policy should be applied when ISPs detect a server which is not listed in our SPF record. If an unauthorized server does send email on behalf of our domain, action is taken according to the policy that has been published (e.g. reject the email or mark it as spam).
Difference between SPF -all and ~all
What is the difference between these tags? We need to instruct how strict servers need to treat the emails. The ~all tag indicates a soft fail and the -all indicates a hardfail. The all tag has the following basic markers:
-all Fail – servers that aren’t listed in the SPF record are not authorized to send email (not compliant emails will be rejected).
~all Softfail – If the email is received from a server that isn’t listed, the email will be marked as a soft fail (emails will be accepted but marked).
+all We strongly recommend not to use this option, this tag allows any server to send email from our domain.
Add SPF Record at our domain provider
To set up SPF for our domain, add a DNS text (TXT) record in our domain provider's management console. TXT records are a type of DNS record that has information for servers and other sources outside our domain.
DNS TXT record field names vary for domain providers.
After adding an SPF record, it can take up to 48 hours for SPF authentication to start working.
Troubleshoot SPF Record issues
Check the number of lookups in our SPF record with the Check MX tool in the Google Admin Toolbox.
Remove duplicate mechanisms, and mechanisms that refer to the same domain.
Be aware of nested lookups, which count toward the limit of 10. If our SPF record includes a domain, and that domain includes other domains in its SPF record, those other domains are counted toward our SPF record limit.
When using the include mechanism, keep in mind nested lookups might cause our SPF record to exceed 10 lookups.
When using the ip4 and ip6 mechanisms, keep in mind that SPF records have a 255 character string limit.
Only include domains that are actively sending email for us.
Remove any include mechanisms for third parties that no longer send mail for our domain.
Check SPF record with Dig command
We can use dig command to determine the SPF record associated with a domain name. The result is contained in the ANSWER section. It contains the fully-qualified domain name (FQDN), the remaining time-to-live (TTL), and the SPF record.
% dig google.com txt ; <<>> DiG 9.10.6 <<>> google.com txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55615 ;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 13, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;google.com. IN TXT ;; ANSWER SECTION: google.com. 0 IN TXT "apple-domain-verification=30afIBcvSuDV2PLX" google.com. 0 IN TXT "globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8=" google.com. 0 IN TXT "google-site-verification=TV9-DBe4R80X4v0M4U_bd_J9cpOJM0nikft0jAgjmsQ" google.com. 0 IN TXT "google-site-verification=wD8N7i1JTNTkezJ49swvWW48f8_9xveREV4oB-0Hf5o" google.com. 0 IN TXT "v=spf1 include:_spf.google.com ~all" google.com. 0 IN TXT "docusign=1b0a6754-49b1-4db5-8540-d2c12664b289" google.com. 0 IN TXT "MS=E4A68B9AB2BB9670BCE15412F62916164C0B20BB" google.com. 0 IN TXT "docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e" google.com. 0 IN TXT "facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95"