SPF: how to configure it correctly and why it is needed

SPF record is a special record in DNS that lists the servers and IP addresses authorized to send emails on behalf of your domain. In simpler terms, it helps mail services determine which senders are truly allowed to send emails on your behalf.

Example of SPF record

Why is SPF record needed

Today, most phishing attacks occur through sender address spoofing. Malicious actors impersonate another domain in an email while actually sending it from their own servers. As a result, the legitimate domain owners suffer: their reputation diminishes, emails start getting blocked or end up in the "Spam" folder, and companies have to prove that they are not involved.

The SPF record is specifically needed to prevent such problems. It serves as a public list of authorized servers permitted to send emails on behalf of your domain. Mail services check this record upon receiving an email to verify if the sender is legitimate.

A proper SPF record provides several important advantages:

Protection against spoofing and phishing. Mail systems identify and reject counterfeit emails supposedly sent on your behalf.
Increased email deliverability. Domains with a correct SPF record gain more trust from mail services. Their emails are less likely to end up in spam and are more frequently found in the "Inbox."

Setting up SPF alongside DKIM significantly enhances the chances of successful email delivery. On the other hand, the absence of an SPF record or errors in it can lead to blocking or lower delivery priority.

Maintaining your brand's reputation. If the SPF record is correctly configured and prohibits sending from unauthorized servers (via -all), it will be much more difficult for scammers to send spam on your behalf.

It's worth remembering that up to 95% of all cyberattacks start with phishing emails. Therefore, it is important to use all available protective measures, and configuring SPF is one of the simplest and most effective ways to enhance security.

How SPF Check Works

When sending an email, the sending server or mailing service includes the domain in the headers from which the sending originates. The recipient's mail server queries DNS upon receiving an email and looks for a special TXT record with SPF settings, which always starts with v=spf1.

This record specifies a list of servers and IP addresses that are authorized to send emails from your domain. The receiving server compares the sender's IP against this list and makes a decision:

PASS — IP found in the list, the email passes the check.
FAIL — IP not authorized, the email is rejected or goes to spam (if the SPF policy is strict, via -all).
SOFTFAIL — IP not found, but the policy is lenient (~all), the email usually goes to spam but is not immediately blocked.
NEUTRAL — policy ?all, the recipient makes no conclusions about trusting the email.
NONE — the domain has no SPF record, nothing to check — the most risky option.

Any SPF record ends with the all rule, which dictates what to do with emails from unknown sources. The safest options are -all (strict prohibition) or ~all (soft prohibition for testing).

It is categorically inappropriate to use +all — that would allow anyone to send emails, completely nullifying the SPF and opening the door for spoofing.

It is important to note: SPF checks the sender's domain specified in the technical return address (Return-Path), not in the "From" field. It does not sign the email and does not encrypt it — that is the job of DKIM. Together with DMARC, all three technologies provide maximum security.

Setting Up SPF Record

Here’s how to set up the SPF record:

1. Identify all sources of email sending. Compile a list of all the servers and services that send emails on behalf of your domain.

2. Formulate the SPF record. Start with v=spf1, and then specify:

ip4 or ip6 if you have specific IP addresses;
a or mx if you want to allow sending from your website's or mail server's IP;
include if you are connecting third-party services. For example: include:_spf.google.com for Google or include:spf.aksend.net for Altcraft platform.

At the end, add the policy -all (to deny everything else) or ~all (soft mode for testing).

3. In the domain's DNS settings, add a new TXT record (usually, the symbol @ is used for the root of the domain) and specify your SPF string in it. In most cases, quotes are automatically inserted by the system.

4. Ensure that there is only one SPF record for the domain, starting with v=spf1. If there are two or more such records in DNS, it will cause errors during checking, and emails may not reach recipients or could end up in spam. Always append to the existing record when adding new services instead of creating a new one separately.

5. Conduct a configuration check. After adding the SPF record, use tools like nslookup or online checks to ensure that the record displays correctly, contains no errors, and includes all necessary senders.

How to Check SPF Record

After you have added or modified an SPF record, it is important to ensure everything is working correctly.

You can check SPF in several ways:

1. Via console utilities (nslookup or dig). Open the terminal and run the command: nslookup -type=TXT suchdomain.com The response should show your SPF record. Verify:

that the record exists (which means DNS has updated);
that there is only one record — if there are multiple, that’s an error;
that the syntax is correct: the record starts with v=spf1, there are no extraneous quotes, spaces, or duplicates.

2. Via online services. There are many free tools to check SPF records. Enter your domain name, and the service will immediately show:

whether the record exists;
whether there are errors in its formatting;
whether the DNS query limit has been exceeded.

If the system issues a warning like "Multiple SPF records found" or "Too many DNS lookups," the record needs to be adjusted.

3. By sending a test email. Send an email from your domain to an external email address (e.g., Gmail). In the upper right corner of the email, click on the three dots and select "Show original."

spf=pass — everything is set up correctly;
spf=fail — there is an error that needs to be resolved.

Common Mistakes in SPF Setup

Having multiple SPF records. Only one line with the v=spf1 setting is allowed for a single domain. Multiple SPF records may appear when, for example, new services are added without editing the old record and instead creating a new one. In this case, SPF checking may not work at all, and mail systems may start sending emails to spam.

What to do: keep one record that includes all authorized sources. If there are already multiple records, they need to be consolidated.

Exceeding the limit of DNS queries. According to SPF rules, a maximum of ten DNS queries are allowed when checking one record. Each include, a, mx, ptr, and exists creates a separate query. If you add too many third-party services, you can easily exceed the limit. In this case, SPF checking will return a PermError, and emails will be blocked.

What to do: reduce the number of includes, remove unused services, and when necessary, use the "SPF flattening" technique (expanding all IP addresses into a single list). But be cautious with this approach to avoid making the record too bulky.

Syntax errors. SPF is sensitive to details: missing colons, extra spaces, incorrect domain names, commas instead of spaces — all of these can break the check.

What to do: after every edit, always check the record using an SPF validator.

Using +all. Sometimes, in haste or for testing, +all is placed in SPF, which allows emails to be sent by anyone. This entirely undermines SPF and makes your domain an easy target for spammers.

What to do: always restrict sending to only trusted addresses. End your record with -all or, if testing, with ~all.

Issues when forwarding emails. If an email is forwarded through another server, SPF checks may fail because the actual sender changes.

What to do: properly configure DKIM signing and use mechanisms like SRS (Sender Rewriting Scheme) to maintain authentication when forwarding.

Conclusion

The SPF record is one of the fundamental components of email protection. SPF reduces the risk of email forgery and enhances the reputation of the domain in the eyes of mail services.

It is important to understand that SPF is just one part of an overall protection system. In tandem with DKIM (email signing) and DMARC (policy for handling suspicious messages), it safeguards your emails and supports high deliverability.

In the world of email marketing, where the results of campaigns and brand reputation are at stake, ignoring SPF means risking too much. With SPF, you can be confident that emails from your domain reach their recipients, and spammers cannot use your name unnoticed.