An SPF record is made up of several parts. The first part should always be the version number, and after that, you can define valid senders with one or more mechanisms. SPF Record syntax is defined in detail in RFC 7208.
The following is a summary of the syntax:
The SPF record is a text record placed in the TXT DNS Record for a domain. An SPF record is made up of several parts. The first part should always be the version number, and after that, you can define valid senders with one or more mechanisms. The mechanisms and modifiers are separated by space. Each mechanism starts with a single letter, and each modifier starts with a single letter followed by an equals (=) sign.
Mechanisms
Mechanisms either allow or deny the use of an IP address for sending mail from a particular domain. The following are the available mechanisms:
Mechanisms
Description
Example
A
The A qualifier matches an IP address and is used to allow/deny mail from a specific IP address.
v=spf1 a -all
IP4
The IP4 qualifier matches an IPv4 address and is used to allow/deny mail from a specific IPv4 address.
v=spf1 ip4:192.168.0.1 -all
IP6
The IP6 qualifier matches an IPv6 address and is used to allow/deny mail from a specific IPv6 address.
v=spf1 ip6:fe80:: -all
PTR (Not Recommended)
The PTR qualifier matches a hostname, which is looked up via a reverse DNS lookup. The PTR qualifier is used to allow/deny mail from a specific hostname.
v=spf1 ptr:example.com -all
MX
The MX qualifier matches a hostname, which is looked up via a DNS MX Record lookup. The MX qualifier is used to allow/deny mail from a domain’s mail server.
Example: v=spf1 mx -all
Include
The include modifier is used to include another SPF Record syntax in the SPF Record. The included SPF Record is looked up via DNS and evaluated as if it were part of the SPF Record.
v=spf1 include:example.com -all
exists
The exists modifier is used to perform a DNS lookup, and matches if a DNS record is returned. The exists modifier is used to allow/deny mail based on the existence of a DNS record.
Example: v=spf1 exists:example.com -all
Modifiers
Modifiers are separated by spaces, and each modifier starts with a single letter followed by an equals sign. Modifiers are used to modify the action taken when a qualifier matches. The following are the available modifiers:
Modifiers
Description
Example
redirect
The redirect modifier is used to redirect a query to a different SPF Record. The redirect modifier is used when a domain wishes to delegate the SPF Record syntax to another domain. The redirect modifier is only supported by newer versions of SPF.
The exp modifier is used to explain an error condition. The exp modifier is used to provide a more detailed error message if a query fails. The exp modifier is only supported by newer versions of SPF.
v=spf1 -all exp=badhost
Action
Action is the final element of an SPF Record. Actions are separated by spaces, and each action starts with a single letter. The available actions are:
Action
Meaning
Example
+all
Allow all IPs to send email (not recommended)
v=spf1 +all
-all
Deny all mail, this is used if domain doesn’t send mail at all
v=spf1 -all
~all
Allow domain’s specified MXs to send mail for the domain, denies all others
v=spf1 mx ~all
?all
This action is used to neutralize the result of the SPF Record.
v=spf1 mx ?all
More in-depth information about SPF failure results here
Maximum Number of Lookups
In order to prevent DNS lookups from becoming infinite loops, SPF will perform a maximum of 10 DNS lookups. If an SPF Record contains more than 10 DNS lookups, then the SPF Record is considered invalid.
A DNS lookup is done when you query for one of these mechanisms:
a
mx
ptr
include
exists
Please note that the ‘nested lookups’ will also count. If an ‘included’ domain does an A and MX lookup, these will both count as lookups for your domain as well.
Conclusion
Skysnag’s automated SPF software has been developed to help verify the identity of an email sender and protect your domain from phishing attacks while taking care of your email deliverability. Get started with Skysnag by signing up using this link for a free trial today and maintain a healthy domain.
Skysnag helps busy engineers enforce DMARC, responds to any misconfigurations for SPF or DKIM which increases email deliverability, and eliminates email spoofing and identity impersonation.
