SPF: how to configure it correctly and why it is needed
Why is SPF record needed
Today, most phishing attacks occur through sender address spoofing. Malicious actors impersonate another domain in an email while actually sending it from their own servers. As a result, the legitimate domain owners suffer: their reputation diminishes, emails start getting blocked or end up in the "Spam" folder, and companies have to prove that they are not involved.
The SPF record is specifically needed to prevent such problems. It serves as a public list of authorized servers permitted to send emails on behalf of your domain. Mail services check this record upon receiving an email to verify if the sender is legitimate.
A proper SPF record provides several important advantages:
- Protection against spoofing and phishing. Mail systems identify and reject counterfeit emails supposedly sent on your behalf.
- Increased email deliverability. Domains with a correct SPF record gain more trust from mail services. Their emails are less likely to end up in spam and are more frequently found in the "Inbox."
Setting up SPF alongside DKIM significantly enhances the chances of successful email delivery. On the other hand, the absence of an SPF record or errors in it can lead to blocking or lower delivery priority.
- Maintaining your brand's reputation. If the SPF record is correctly configured and prohibits sending from unauthorized servers (via -all), it will be much more difficult for scammers to send spam on your behalf.
How SPF Check Works
When sending an email, the sending server or mailing service includes the domain in the headers from which the sending originates. The recipient's mail server queries DNS upon receiving an email and looks for a special TXT record with SPF settings, which always starts with v=spf1.
This record specifies a list of servers and IP addresses that are authorized to send emails from your domain. The receiving server compares the sender's IP against this list and makes a decision:
- PASS — IP found in the list, the email passes the check.
- FAIL — IP not authorized, the email is rejected or goes to spam (if the SPF policy is strict, via -all).
- SOFTFAIL — IP not found, but the policy is lenient (~all), the email usually goes to spam but is not immediately blocked.
- NEUTRAL — policy ?all, the recipient makes no conclusions about trusting the email.
- NONE — the domain has no SPF record, nothing to check — the most risky option.
Any SPF record ends with the all rule, which dictates what to do with emails from unknown sources. The safest options are -all (strict prohibition) or ~all (soft prohibition for testing).
It is categorically inappropriate to use +all — that would allow anyone to send emails, completely nullifying the SPF and opening the door for spoofing.
It is important to note: SPF checks the sender's domain specified in the technical return address (Return-Path), not in the "From" field. It does not sign the email and does not encrypt it — that is the job of DKIM. Together with DMARC, all three technologies provide maximum security.
Setting Up SPF Record
Here’s how to set up the SPF record:
v=spf1
, and then specify:ip4
orip6
if you have specific IP addresses;a
ormx
if you want to allow sending from your website's or mail server's IP;include
if you are connecting third-party services. For example:include:_spf.google.com
for Google orinclude:spf.aksend.net
for Altcraft platform.
-all
(to deny everything else) or ~all
(soft mode for testing).How to Check SPF Record
After you have added or modified an SPF record, it is important to ensure everything is working correctly.
You can check SPF in several ways:
nslookup -type=TXT suchdomain.com
The response should show your SPF record. Verify:- that the record exists (which means DNS has updated);
- that there is only one record — if there are multiple, that’s an error;
- that the syntax is correct: the record starts with v=spf1, there are no extraneous quotes, spaces, or duplicates.
- whether the record exists;
- whether there are errors in its formatting;
- whether the DNS query limit has been exceeded.
If the system issues a warning like "Multiple SPF records found" or "Too many DNS lookups," the record needs to be adjusted.
- spf=pass — everything is set up correctly;
- spf=fail — there is an error that needs to be resolved.
Common Mistakes in SPF Setup
Conclusion
The SPF record is one of the fundamental components of email protection. SPF reduces the risk of email forgery and enhances the reputation of the domain in the eyes of mail services.
It is important to understand that SPF is just one part of an overall protection system. In tandem with DKIM (email signing) and DMARC (policy for handling suspicious messages), it safeguards your emails and supports high deliverability.
In the world of email marketing, where the results of campaigns and brand reputation are at stake, ignoring SPF means risking too much. With SPF, you can be confident that emails from your domain reach their recipients, and spammers cannot use your name unnoticed.