- November 12, 2021: Fixed typographical errors – Missing the subnet mask; Invalid subnet fixed to 2001:d00::/24.
- February 21, 2020: SPF-99 deprecation.
This guide will help you get started in creating a SPF (Sender Policy Framework) record for your domain. All domains should have SPF records, regardless of whether or not they send email. SPF records provide a reference point for detecting fraudulent sources of email and help protect against unauthorized use.
Once you have an SPF record ready, you can add it to your domain by configuring it on your authoritative name servers or your DNS provider’s administrative control panel.
Creating New Records
There are two parts to an SPF record entry that we are concerned about in this guide: the domain name for which you will create your SPF record, and the identifier and contents, which are a combination of mechanisms (explained below), IP addresses, domains, and other options that make up the contents. The “TXT” attribute states what type of record it is (a TXT record).
|Time to Live (TTL)
|Company domain name for the SPF record. Can only be used for that domain.
|In order to speed up domain name resolution requests, DNS servers will cache information about a domain. Time To Live specifies the number of seconds a DNS server should keep a record cached before refreshing it. If you make updates to your DNS records during this period, they will not be updated until the TTL has passed.
|A proper SPF record should have a TXT record type.
|A set of mechanisms, options, and IP addresses / domain names for configuring the record. The “v=spf1” option is mandatory and has to be included.
- v=spf1 is the version of SPF being used. The current version is 1.
- -all tells SPF-aware recipients to reject any mail that doesn't pass the SPF record rules for that domain. Bitsight also accepts ~all.
A null record
A null record simply states that no mail should be accepted if it appears to come from the domain. Attackers will not be able to forge an email from that domain, assuming the recipients are SPF-aware. Set up a null record for any domain that does not send email. The record is simply:
Policies for IP address or domain
If you wish to allow email from your domain, for instance, example.com, and your company has a mail server set up on the premises, the record will be:
"v=spf1 a -all"
The “a” tells recipients to look at the A record for the domain. An A record maps a domain name to one or more IP addresses; DNS servers use the A record to resolve domain names into IP addresses. In this case the domain's A record would be set up to point to an IP address that handles company mail.
In the above case you do not explicitly need to call out example.com, since this SPF record is a part of example.com's DNS records.
To allow mail from another domain by referring to its A record, in this case example2.com:
"v=spf1 a:example2.com -all"
To allow mail from a server by using its IPv4 address, for example, 192.0.2.0:
"v=spf1 **ip4**:192.0.2.0 -all"
You can specify multiple IPv4 addresses. Repeat the ip4: prefix for each one (ensure that it's ip4 and not ipv4).
To allow mail from a block of IPv4 addresses, for example 192.0.2.0/24:
"v=spf1 ipv4:192.0.2.0/24 -all"
The same can be done for IPv6 addresses. Simply use the “ip6:” prefix.
You can combine all these mechanisms:
"v=spf1 a:example2.com ip4:192.0.2.0/24 ip6:2001:d00::/24 -all"
Policies for a Mail Exchanger server
You may already have MX records set up for your organization. You can use an SPF record to take advantage of this. Use “mx” by itself to refer to the MX records for your domain, or “mx:” followed by a domain name to refer to MX records elsewhere.
To enable SPF for your existing mail exchanger domains:
"v=spf1 mx -all"
To allow mail from a different mail exchanger server, for example, you send mail from example.com but receive it on another:
"v=spf1 mx mx:mail.example2.com -all"
Policy for Including another domain's SPF records
In some cases SPF records may be managed by another service or company, or other organizations might need to send mail from your domain. Common examples of this would be vendors who provide email services, such as Sendgrid or SalesForce. In this case you would use the “include:” mechanism. For example your business services provider tells you to include spf.enterpriseservices.com:
"v=spf1 include:spf.enterpriseservices.com -all"
If your SPF needs aren't covered in this guide, please take a look at the official SPF Record Syntax page for additional SPF options.
Testing your SPF record
You can check what your existing SPF records are, test that the record you would like to add is properly formatted (syntax checker), and live test an SPF record with a sample mail envelope using Scott Kitterman's SPF record testing tools.
Deploying your SPF record
Typically your DNS provider has a control panel for modifying your DNS zone file, which has all of your DNS records within it.
When adding your SPF record to your zone file, make sure that you set the new record type to TXT. An SPF record is a TXT record, as opposed to an A record or MX record.
Verification for SPF with an empty response is supported. To determine if a domain is missing SPF records, we look for 10 or more DMARC queries in Passive DNS from the past 30 days.
Common problems include formatting errors. You may receive Diligence record warnings on your new SPF record if you have punctuation errors, such as missing closing quotes, missing a space, or other typos. Formatting errors may cause your SPF record to not work and may have unintended consequences, such as accidentally permitting mail from any domain instead of restricting it.
Frequently Asked Questions
What are my existing SPF records?
To double check if your organization has SPF implemented for a domain name, use the command line on your system and enter the following:
dig domainname.com txt
Where “domainname.com” is the domain name you would like to investigate. Note that the dig software is available by default on Mac OS and Linux systems. Windows users can download the software from the Internet Systems Consortium's BIND website.
Using “dig example.com txt” from the TXT records listed reveals the current SPF record is:
www.example.com. 86400 IN TXT "v=spf1 -all"
You may also try “dig domainname.com TXT +short” to show just the values in the TXT records.
If you prefer to not use the command line, use a website to look up the information for you. There are a number of freely available services on the web, such as mtoolbox.com, that can look up SPF records using a domain name.