What you'll learn in this article
This guide will help you learn how to create an SPF TXT record, assuming that you are familiar with DNS and DNS TXT records.
- Setting up an SPF record helps prevent malicious actors from using your domain to send malicious emails.
- Learn how to create and publish your SPF TXT record, and validate that it's configured correctly.
- Follow this straightforward guide to enhance your domain's security and safeguard against email spoofing.
Build your SPF record in 4 easy steps
After reading this article you will be able to create your own SPF TXT record, assuming that you are familiar with DNS and DNS TXT records.
Authorize email senders with SPF
The Sender Policy Framework (SPF) is an email authentication technique that is used against email spoofing. Setting up an SPF record helps to prevent malicious persons from using your domain to send unauthorized (malicious) emails, also called email spoofing. The SPF protocol is used as one of the standard methods to fight against spam and is also used in the DMARC specification.
What are SPF records?
An SPF record is a TXT record that is part of a domain’s DNS (Domain Name Service). An SPF record lists all authorized hostnames / IP addresses that are permitted to send email on behalf of your domain.
What effect does an SPF record have?
Some email recipients strictly require SPF. If you haven’t published an SPF record for your domain, your email can be marked as spam or even worse the email will bounce. If an email is sent through an unauthorized mail server, the email can be marked as spam. Having a properly set up SPF record will improve your email deliverability and will help to protect your domain against malicious emails sent on behalf of your domain. The email validation system DMARC creates a link between SPF and DKIM.
How to create your SPF record?
To protect your brand against spoofing and phishing attacks you have to authenticate your email.Create your SPF record by following these steps:
Step 1: Collect all IP addresses that are used to send email
The Sender Policy Framework (SPF) gives the ability to authenticate your email and to specify which IP addresses are allowed to send email on behalf of the specific domain.
In order to successfully implement SPF you first need to identify which mail servers are used to send email for your domain. These mail servers can be any sending organization. You should think of your Email Service Provider, Office mail server and any other third-party mail servers that may be used to send email for you.
Gathered all sending email servers?
Now that you’ve got a clear overview of all sending domains, you have to create an SPF record for every domain, even if the domain doesn’t actively send email (more information about: How to secure inactive/parked domains).
Step 2: Create your SPF record
- Start with the SPF version. This part defines the record as SPF. An SPF record should always start with the version number v=spf1 (version 1). This tag defines the record as SPF. There used to be a second version of SPF (called: SenderID), but this was discontinued.
- After including the v=spf1 SPF version tag, you should follow with all IP addresses that are authorized to send email on your behalf. For example: v=spf1 ip4:34.243.61.237 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e
- Next, you can include an include tag for every third-party organization that is used to send email on your behalf e.g. include:thirdpartydomain.com. This tag indicates that this particular third party is authorized to send email on behalf of your domain. You need to consult with the third party to learn which domain to use as a value for the ‘include’ statement.
- Once you have implemented all IP addresses and include tags, you should end your record with an ~all or -all tag. The all tag is an important part of the SPF record as it indicates what policy should be applied when ISPs detect a server which is not listed in your SPF record. If an unauthorized server does send email on behalf of your domain, action is taken according to the policy that has been published (e.g. reject the email or mark it as spam). What is the difference between these tags? You need to instruct how strict servers need to treat the emails. The ~all tag indicates a soft fail and the -all indicates a hardfail. The all tag has the following basic markers:
- -all Fail: servers that aren’t listed in the SPF record are not authorized to send email (not compliant emails will be rejected).
- ~all Softfail: If the email is received from a server that isn’t listed, the email will be marked as a soft fail (emails will be accepted but marked).
- +all: We strongly recommend not to use this option, this tag allows any server to send email from your domain.
There are many available SPF tags. More information can be found at the SPF parts explanation page.
After defining your SPF record, your record might look something like this:
v=spf1 ip4:34.243.61.237 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e include:thirdpartydomain.com -all
For domains that aren’t sending email, we recommend you publish the following record: v=spf1 -all
Please keep in mind that your SPF record cannot be over 255 characters and has a maximum of 10 include tags, also known as “lookups”. Please note that ‘nested lookups’ will also count. If a record has an A and MX lookup, these will both count as lookups for your domain.
Now that you have created your SPF TXT record, you can publish it into your DNS.
Step 3: Publish your SPF record into your DNS
Finally, after defining your SPF record, it’s time to publish the record into your DNS. Doing so, mail receivers like (Gmail, Hotmail and others) can request it. An SPF record needs to be published into your DNS by your DNS manager. This can be an internal role in your organization, you can have access to a dashboard provided by your DNS provider yourself, or you can ask your DNS provider to publish the record.
Please make sure that your SPF record doesn’t exceed the maximum of 10 lookups! Please note that ‘nested lookups’ will also count. If an ‘included’ domain has an A and MX lookup, these will both count as lookups for your domain as well. You can prevalidate your SPF record by using our free SPF record Checker.
Access your DNS manager
Your SPF record needs to be published into your DNS:
- Log in to your domain account at your domain host provider.
- Locate the page for updating your domain’s DNS records (something like DNS management or name server management).
- Select the domain of which you want to modify the records.
- Open the DNS manager.
- Log in to your domain account at your domain host provider.
- Create a new TXT record in the TXT (text) section.
- Set the Host field to the name of your domain.
- Fill the TXT Value field with your SPF record (i.e. “v=spf1 a mx include: exampledomain.com ~all””).
- Specify the Time To Live (TTL), enter 3600, or leave the default.
- Click “Save” or “Add Record” to publish the SPF TXT record into your DNS.
Your new SPF record can take up to 48 hours to go into effect. For help adding TXT records, contact your domain host.
Step 4: Test your SPF record with the SPF record Checker
Setting up the an SPF record is an essential part of your technical settings. Read more about how to check and validate your SPF record or directly test your SPF record by using our SPF record Checker.
The SPF record is correctly configured when:
- The SPF record Checker has found an SPF record.
- Your SPF record doesn’t exceed the maximum number of 10 lookups.
- The configured IP addresses are real addresses that are used to send email from.
There are many available SPF tags. More information can be found at the SPF parts explanation page.
SPF and DMARC
SPF is one of the email authentication techniques on which DMARC is based. The email validation system DMARC creates a link between SPF and DKIM. DMARC uses the result of the SPF checks and adds a check on the alignment of the domains to determine its results. Learn more information about DMARC.