How to Optimize Your SPF Record
In this post, we will tell you how you can optimize a bloated SPF record to make the SPF authentication pass. This primarily concerns delivery services that send emails for their customers and ask their customers to include an SPF record to their domain’s DNS. But it can be also useful to senders publishing their own SPF records.
What is SPF Record?
SPF stands for Sender Policy Framework, it is a tool that authenticates your email and prevents spoofing; in other words, it proves that the email sent was actually from you and not someone else. However, SPF alone will not fully protect you and it is always recommended to be used with DKIM and DMARC protocols.
SPF record is a record that is added to DNS in a TXT form. It provides certain mechanisms, contains qualifiers and modifiers to choose which IPs are allowed to send emails on your behalf.
How SPF Record Works
In SPF record you state which IPs are allowed to send messages from you. When the email reaches the recipient’s server, the server looks at the IP – pulls it from the “Envelope From” address. If the message was spoofed, the IP will be different, not one of those stated in the DNS record. In this case, the email will be rejected.
How to Create SPF Record
To create an SPF record you have to define which IPs are allowed to send emails on your behalf. Here are steps to follow when creating the SPF record:
- Start with this tag: v=spf1 – it indicates the SPF version and always stays v=spf1.
- Follow this tag with IPs that are allowed to send emails from you.
- If you send emails from a third party, you mustn’t forget to add it as an authorized source of your emails. To do so add include:thirdpartydomain.com.
- End the record with -all (fail) – it indicates that all IPs that don’t match with the ones you have provided will be rejected. There is another modifier for this option ~all (softfail), it means that emails with unauthorized IPs will be received but marked.
Also, take note of the next SPF syntax you need to know:
- ip4 – indicates that an email from a sender in Internet Protocol version 4 (IPv4) should match;
- ip6 – indicates that an email from a sender in Internet Protocol version 6 (IPv6) should match;
- mx – specifies that if the domain name has mail exchanger record (mx) that resolves domain of a sender, it should match;
- a – if a sender has an address record A or AAAA it should match if resolved to the sender’s address.
SPF record example
After you followed all the steps above your SPF record should look like this:
v=spf1ip4:30.1124.300.302 include:thirdpartydomain.com ~all
It starts with the SPF version, followed by appropriate IP address(es), third party domain is included (if you have one) and concluded with a tag -all.
Here’s another way your TXT string can look like:
v=spf1 a mx ip4:30.1124.300.302 include:thirdpartydomain.com ~all
Here domain uses ‘a’ mechanism and ‘mx’ mechanism, therefore they are included in the SPF record.
How to Optimize SPF Records
The SPF standard requires that any SPF record must comply with the 10-DNS-lookup limit. It means that any SPF record that causes more than 10 DNS queries is not valid, and any attempt to authenticate SPF for an email from the domain will lead to an error.
The “include”, “a”, “mx”, “ptr”, and “exists” mechanisms and the redirect modifier do count against this limit. The “all”, “ip4”, and “ip6” mechanisms do not require DNS lookups and therefore do not count against the 10-DNS-lookup limit. So, how can you advance your SPF record?
Avoid Costly SPF Mechanisms
Re-think about using the “mx” mechanism. It makes an SPF record look simpler but it always triggers a DNS lookup that counts against the 10-DNS-lookup limit.
Instead of “mx”, consider the “ip4” and “ip6” mechanisms to list the IP addresses your host and MX send emails from. Though your SPF record will look longer, it will be actually smaller from the perspective of DNS queries, as a single “mx” mechanism costs more than 20 “ip4” mechanisms.
Similarly, avoid the “a” mechanism as it can also be replaced with “ip4” or “ip6”.
Don’t use “ptr” as they are deprecated by the current SPF RFC.
IP Addresses Verification
If you have many “ip4” and “ip6” mechanisms, make sure they’re not excessive. Are there any IP addresses that you are not using? Are there any IP address ranges that can be merged? For example, “ip4:x.y.z.4/24” and “ip4:x.y.z.5/24” can be replaced with “ip4:x.y.z.4/23”.
CIDR blocks generated from IP address ranges can sometimes give very inefficient representations. The IP range 10.11.12.1-10.11.12.254 needs 14 “ip4” mechanisms to represent precisely. Instead, you can use the single mechanism “ip4:10.11.12.0/24”, even if you’re not sending any email from the .0 or .255 addresses.
You don’t need a “~all” or “-all” at the end of a TXT record that is only included in another SPF record, not used directly. It won’t do any harm but it eats a few characters.
Split Your SPF Record
An SPF record can contain one or more strings of text and each string can contain no more than 255 characters. An SPF checker will take all of the strings in a TXT record and bind them together before it starts looking at the content. So you can have more than 255 characters in the SPF record by splitting it into more than one string.
But keep your DNS packets less than 512 bytes long. Count the DNS overhead for a reply that contains a single TXT record with two strings which is about 34 bytes, then add the length of the hostname that’s being queried. So to comply with the 512-byte limit you need to break your SPF into pieces of no more than 478 minus the length of the hostname.
Then you need to break that SPF data into two strings. As they will be bonded with no white space added, so you need to include the space at the end of the first string or the beginning of the second string.
Test Your SPF Record
Optimizing the SPF record is important but difficult. To help you do it, we at GlockApps created an SPF checking tool.
You can enter your domain and click the button to check your SPF record. Or you can copy-paste your SPF record to check its syntax.
The GlockApps SPF Flattener:
– checks if the SPF record syntax is correct;
– makes sure the number of mechanisms and modifiers in the SPF record that do DNS lookups is under 10;
– “flattens” the SPF record into a list of plain IP addresses, so that you can check them one by one, in case you need to track down some obstinate SPF issues.
With the GlockApps DMARC Analytics, you can determine any illegal sources sending on behalf of your domain and make sure that all your legal sources pass the SPF, DKIM, and DMARC authentication.
You can activate the DMARC Analytics trial in your GlockApps account and test it during 14 days to get the DMARC data and analyze your email traffic.
GlockApps Spam Testing for Marketers and Agencies
Scan your emails through all the major spam filters before you send.
Get actionable tips for improving your delivery rate for every email you send.
Improve your overall email performance by ensuring more emails are being delivered.