Tuesday, April 26, 2016

DNS SPF Basics - What you need to know to do it correctly

The SPF (Sender Policy Framework)

DNS SPF records are essential to best practice email flow from your business. SPF records are email recipient’s servers best way of confirming the email they received is really from the domain it says it is from. While not every server rejects email based on SPF records, more and more do every day to reduce the massive amount of spam. If you want better assurances your email is not going to spam or being dropped all together by receiving email servers, I would highly recommend you check your SPF records.

Many companies have multiple sending sources, for example using Office 365 and also a third party media company sending client communications on your company’s behalf, or an email filtering service.

Receiving servers need SPF to sort through whom is legit

SPF records are external DNS txt records for each domain. There should be only one SPF record per domain.

Each DNS vendor management console is a little different but here is an example from Network Solutions of an SPF record:


So we will start to break down the formatting of the SPF example above. If was using only Office 365 it would be:

v=spf1 include:spf.protection.outlook.com -all

Since it is using MXLogic email filtering service as well it also has:


For each legitimate sender you add an additional “include:” in the SPF record. Again you should only have one SPF record and it is limited to 256 characters so plan accordingly.

If you have a static IP server sending you should add its “ip4” record without an additional include statement for example:


You can have ranges of IP addresses, but I would recommend you keep them as small as possible


Combining all of those for example would be:

v=spf1 include:spf.protection.outlook.com include:mxlogic.net ip4: -all

If you see “-a” or “-ptr” in the SPF records, those are old SPF formats and typically not necessary. I would recommend removing them.

The next question is what does the “-all” mean

-all” means these are the ONLY servers authenticated to send for my domain hard fail if not a match
~all” means these are the main servers authenticated to send for my domain soft fail if not a match
+all” means these plus ANYONE is authenticated to send for my domain NEVER use that setting

There are many other settings that can be used, however I am not going to go into the history of SPF or more advanced settings. The reason being is ideally you want these records brief and to the point so email servers can quickly and easily resolve them. Don’t over complicate SPF.

To check if your SPF records exist and are configured correctly. Here is a link to a tool to check where you simply put in your domain name and click “SPF Record Lookup”:


No comments:

Post a Comment