The Skysnag Blog

What is an SPF Record?

September 24, 2022  |  3 min read

You don’t have to comprehend every aspect of an SPF record to use it, but a better understanding can help you grasp the big picture. How can you enhance email deliverability and safeguard the reputation of your domain?

Let’s find out.

What is an SPF Record

SPF records are a type of Domain Name Service (DNS) record that can be used to help verify the identity of an email sender. The record specifies which mail servers are authorized to send an email on behalf of a given domain.

The recipient email server runs a DNS query to locate the TXT record during mail delivery to determine whether the sender’s server IP matches the list of permitted IP addresses for the sender’s domain. The sender’s email message may experience a “soft fail” or a “hard fail” if no Sender policy framework record is discovered.

You have control over which emails are delivered to your mailbox as an email administrator. A “hard fail” will be either deleted or sent to the recipient’s spam box. Depending on the security settings of the email administrator, a “soft fail” may still reach the intended recipient but it may also be dropped by the recipient email server.

Why SPF Records Are Important to Add to Your Domain

SPF records are a fundamental part of email security. It’s an email validation system designed to prevent spam by verifying the sender is who they say they are. It does this by checking the IP addresses the message claims to come from.

In order for email providers to use SPF, the message must contain an SPF record in its DNS. SPF records are TXT records that are placed in your domain name’s DNS zone file. SPF records are used by email providers to verify a sender.

How can I create an SPF record for my domain?

To create an SPF record for your domain, you will need to create a text file with the following information:

  • Start with the SPF version v=spf1. This indicates that it is an SPF record. It will always be v=spf1, as other SPF versions have been discontinued.
  • The SPF version tag should be followed with all IP addresses that are authorized to send email on behalf of your domain. For example: v=spf1 ip4:40.113.200.201 ip6:2001:db8:85a3:8d3:1319:8a2e:370:7348
  • Next comes the “include” statement, which is needed for every third-party organization that sends email on your behalf. For example: v=spf1 ip4:40.113.200.201 ip6:2001:db8:85a3:8d3:1319:8a2e:370:7348 include:thirdpartydomain.com
  • You should consult with these third parties to discover which domain to use as a value here. Also, ESPs typically publish SPF records for sending domains on your behalf, so you will want to verify with them as well.
  • The end of the SPF record is the “all” tag. It is important because it indicates what policy and how strictly it should be applied when a receiving server detects a server that is not listed (authorized) in your SPF record.

This is a brief summary of the possible contents of an SPF record. Here is a more in-depth look into SPF record syntax.

Everything that causes an SPF fail

SPF Failure Options:

You can configure the default SPF record to include either soft fail or hard fail. Soft fail is the go-to option for many SPF creators because it combines leniency with a strong defense against spoofing and email spam. Hard fail will reject all emails from hosts not listed in the SPF record.

Soft fail 

The recipient may view the emails they receive from an SPF record that employs the “soft fail” qualifier as junk mail. It is the preferred choice for many SPF developers since it combines laxness with a potent defense against email spam and spoofing.

Hard Fail 

The mail receiver would reject any emails from hosts not mentioned in the SPF record if you decided to use the “hard fail” qualifier. Simply said, the email will not be properly delivered and the receiver will not be able to retrieve it.


How do I test and verify an SPF record?

Have an SPF Record already, but aren’t sure if it’s configured correctly? To perform an SPF Check, use our free SPF tool. The list of servers that you have given permission for your domain to use to send emails is displayed here. If a valid IP address is not listed, you will get the recipient’s perspective and have the option to edit the SPF record.

Conclusion

Skysnag’s automated SPF software has been developed to help verify the identity of an email sender and protect your domain from phishing attacks while taking care of your email deliverability. Get started with Skysnag by signing up using this link for a free trial today and protect your domain’s reputation.

Enforce DMARC, SPF and DKIM in days - not months

Skysnag helps busy engineers enforce DMARC, responds to any misconfigurations for SPF or DKIM which increases email deliverability, and eliminates email spoofing and identity impersonation.

Check your domain’s DMARC security compliance