SPF
Sender Policy Framework
When an email server receives an email, it can look up the SPF record for the sender domain in DNS. If an SPF record exists, the email server uses the contents of the record to determine if the email was actually sent from an legitimate sender.
When you set up a new service provider they'll often give you a short snippet, like the one above, that you need to copy/paste to your DNS.
Anatomy of an SPF record
A SPF record is a DNS record of type TXT
. The value is the interesting part and it in a simple form it can look like this:
v=spf1 include:spf.mtasv.net ?all
This record will authorize the ESP, Postmark, to deliver emails for our domain (that's the spf.mtasv.net
part).
A more complex example could be the following, which is explain in details below:
v=spf1 mx a ptr ip4:1.2.3.4/32 a:substancelab.com include:servers.mcsv.net ~all
v=spf1 |
mx |
a |
ptr |
ip4:1.2.3.4/32 |
a:substancelab.com |
include:servers.mcsv.net |
~all |
---|---|---|---|---|---|---|---|
The version of the SPF record. For now only version 1 exists. | Servers who are also in the domains MX record are allowed to send email for this domain. | The server in the domains A record is allowed to send email for this domain. | If present all subdomains of the domain are allowed to send email for the domain. | These IP addresses and IP address ranges are allowed to send email. | Domains listed here are allowed to send emails for this domain. | This adds another SPF record to yours. It is commonly used when using third party services to deliver email. In this example we allow MailChimps servers to deliver emails for our doman. | How strict should recipient servers be when a sender doesn't match. |
SPF records for domains that send no email
If you have a domain that doesn't send any email, you should still have a SPF record and configure DMARC for it. That way you can protect your domain from being used in phishing attacks and other malicious activities.
Here's an example of a SPF record for a domain that doesn't send any email:
v=spf1 -all
This basically says "fail SPF for all emails".
Guides
- How to set up DMARC on Mailerlite
- How to setup SPF on Campaign Monitor
- How to authenticate authors on Bento
- How to add a SPF record to your domain
- How to set up DMARC on SendGrid
- How to Verify a Sending Domain on Convertkit
Tools
- SPF Wizard: Point and click wizard to create or update an SPF record.
- SPF Policy Tester: Tool to verify if specific IP addresses pass your SPF policy.