An SPF (Sender Policy Framework) record is a type of TXT record in our DNS zone file. SPF records help identify which mail servers are permitted to send email on behalf of our domain. Adding an SPF record can help detect and prevent spammers from sending email messages with forged From addresses on our domain.
Table of Contents
Purpose of SPF record
SPF is an industry-standard email authentication method. It’s an effective way to help protect our domain from spoofing, and to help prevent our messages from being marked as spam. So we should always set up SPF for our organization.
The SPF is an email authentication technique that is used against email spoofing. SPF records help specify which mail servers are permitted to send email on behalf of our domain.
Then, when incoming mail servers receive email messages from our domain name, they compare the SPF record to the outgoing mail server information. If the information doesn’t match, they identify the email message as unauthorized, and will generally filter it as spam or reject it.
The SPF protocol is used as one of the standard methods to fight against spam and is also used in the DMARC specification.
Example of SPF record
Here’s an example of an SPF record:
example.com. IN TXT "v=spf1 a mx include:_spf.google.com ~all"
This SPF record is for the domain example.com. It specifies that the domain’s email should be sent from servers that are listed in the A or MX records for the domain.
It also includes the SPF record for _spf.google.com, which allows emails sent from Google’s servers to pass SPF checks.
The ~all qualifier indicates a “soft fail” policy, which means that the SPF check will not completely reject emails that fail SPF, but may mark them as suspicious.
Check SPF record with Dig command
dig (Domain Information Groper) is a command-line utility that is used to query DNS (Domain Name System) servers to obtain information about a domain name or IP address. It is a powerful tool for troubleshooting DNS-related issues and can be used to check the DNS records for a particular domain.
dig <domain> <record type>: This command retrieves the DNS information for the specified domain and record type.
For example, dig google.com MX will retrieve the MX (mail exchange) record for google.com.
By default, dig displays the answer, authority, and additional sections of the DNS response. The output includes various DNS records such as A records, MX records, NS records, and TXT records.
To check the SPF record of a domain using the dig command, follow these steps:
- Open the terminal or command prompt on your computer.
- Type the following command: dig <domain> TXT. Replace <domain> with the domain name you want to check the SPF record for. For example, to check the SPF record for google.com, you would use the command: dig google.com TXT
- Press Enter to execute the command. The output will show the TXT records for the domain.
- Look for a TXT record that starts with “v=spf1”. This is the SPF record for the domain.
For example, the output for the SPF record of google.com would look something like this:
;; ANSWER SECTION:
google.com. 299 IN TXT "v=spf1 include:_spf.google.com ~all"
In this example, the SPF record for google.com is "v=spf1 include:_spf.google.com ~all".
% dig google.com txt
; <<>> DiG 9.10.6 <<>> google.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55615
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 13, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;google.com. IN TXT
;; ANSWER SECTION:
google.com. 0 IN TXT "apple-domain-verification=30afIBcvSuDV2PLX"
google.com. 0 IN TXT "globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
google.com. 0 IN TXT "google-site-verification=TV9-DBe4R80X4v0M4U_bd_J9cpOJM0nikft0jAgjmsQ"
google.com. 0 IN TXT "google-site-verification=wD8N7i1JTNTkezJ49swvWW48f8_9xveREV4oB-0Hf5o"
google.com. 0 IN TXT "v=spf1 include:_spf.google.com ~all"
google.com. 0 IN TXT "docusign=1b0a6754-49b1-4db5-8540-d2c12664b289"
google.com. 0 IN TXT "MS=E4A68B9AB2BB9670BCE15412F62916164C0B20BB"
google.com. 0 IN TXT "docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e"
google.com. 0 IN TXT "facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95"
Check SPF Record with Nslookup command
nslookup is a command-line tool that is used to query DNS servers to obtain information about DNS records. The name “nslookup” stands for “name server lookup”. It’s a useful tool for any DNS tasks.
You can use the -type option to specify the type of DNS record you want to look up, such as A (IPv4 address), AAAA (IPv6 address), MX (mail server), TXT (text), and so on. For example, nslookup -type=mx example.com will return the mail servers for the domain example.com.
nslookup also allows you to specify a DNS server to query, using the server option. For example, nslookup example.com 22.214.171.124 will query the Google Public DNS server for the domain example.com.
You can check the SPF DNS record of a domain using the nslookup command in the following way:
- Open a command prompt or terminal on your local machine.
- Type nslookup -type=txt example.com in the command prompt, where example.com is the domain for which you want to check the SPF record.
- Press Enter.
- The command will return a list of TXT records for the domain. Look for a record that starts with “v=spf1”. This is the SPF record for the domain.
For example, if you want to check the SPF record for the domain example.com, you would enter the following command:
nslookup -type=txt example.com
How to create our SPF record?
Domains can have one SPF record. However, the SPF record for a domain can specify multiple servers and third parties that are allowed to send mail for the domain.
v=spf1 ip4:126.96.36.199 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e
- Start with the SPF version, this part defines the record as SPF. An SPF record should always start with the version number v=spf1 (version 1) this tag defines the record as SPF. There used to be a second version of SPF (called: SenderID), but this was discontinued.
- follow with all IP addresses that are authorized to send email on our behalf. For example: v=spf1 ip4:188.8.131.52 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e
- include an include tag for every third-party organization that is used to send email on our behalf e.g. include:thirdpartydomain.com. This tag indicates that this particular third party is authorized to send email on behalf of our domain. We need to consult with the third party to learn which domain to use as a value for the ‘include’ statement.
- end our record with an ~all or -all tag. The all tag is an important part of the SPF record as it indicates what policy should be applied when ISPs detect a server which is not listed in our SPF record. If an unauthorized server does send email on behalf of our domain, action is taken according to the policy that has been published (e.g. reject the email or mark it as spam).
Difference between SPF -all and ~all
What is the difference between these tags? We need to instruct how strict servers need to treat the emails. The ~all tag indicates a soft fail and the -all indicates a hardfail. The all tag has the following basic markers:
- -all Fail – servers that aren’t listed in the SPF record are not authorized to send email (not compliant emails will be rejected).
- ~all Softfail – If the email is received from a server that isn’t listed, the email will be marked as a soft fail (emails will be accepted but marked).
- +all We strongly recommend not to use this option, this tag allows any server to send email from our domain.
Add SPF Record at our domain provider
To set up SPF for our domain, add a DNS text (TXT) record in our domain provider’s management console. TXT records are a type of DNS record that has information for servers and other sources outside our domain.
- DNS TXT record field names vary for domain providers.
- After adding an SPF record, it can take up to 48 hours for SPF authentication to start working.