How to Create SPF Record & Optimize it
In this article, you’ll learn how you can create and optimize an SPF record to make SPF authentication pass and improve email deliverability. It is especially helpful for email service providers that send email on behalf of their clients and need their clients to include an SPF record in their domain’s DNS (Domain Names System). But this article can also be useful for email senders learning how to publish their own SPF records within their domain’s DNS.
What is SPF Record?
SPF stands for Sender Policy Framework. It is a tool that authenticates your email and prevents spoofing. In other words, it proves to mail servers like Gmail, Yahoo!Mail, and Microsoft Exchange or Outlook that the incoming messages were actually from you and not someone else pretending to be you in order to send spam. However, SPF alone will not fully protect you and it is always recommended to be used along with DKIM and DMARC protocols.
An SPF record is a record that you publish in your DNS records as a TXT record. It allows you to choose which IP addresses are authorized to send email on behalf of your domain using certain mechanisms and qualifiers.
How SPF Record Works
Your SPF record lists which IPs are authorized to send messages from your domain. When the email reaches the recipient’s mail server, the mail server looks at your IP by pulling it from the “Envelope From” address. If the message was spoofed, the IP will be different from the mail servers authorized in the DNS record. In this case, the email will be rejected by the receiving mail server.
How to Create SPF Record
To create an SPF record you have to define which IPs or senders are authorized to send emails on your behalf. Here are the steps to generate a new SPF record:
- Start with this tag: v=spf1 – it indicates the SPF version and always stays v=spf1.
- Follow this tag with IPs or sending domains that are allowed to send emails from you.
- If you send emails from a third party organization, you can not forget to add it as an authorized source for your emails. To do so add include:thirdpartydomain.com.
- End the record with -all (fail/hardfail) – it indicates that all IPs that don’t match with the ones you have provided will be rejected your recipients’ email servers. Another modifier for this option is ~all (softfail); it means that emails from any unauthorized IPs will be accepted by the receiving mail server, but marked as spam.
- Once your record is ready, go to your hosting provider to add your record. Now, any receiving mail server will know if a sender is authorized to send email on behalf of your domain.
Learn More Information about SPF Soft Fail – Everything about SPF Failures
Also, take note of the next SPF syntax you need to know:
- ip4 – indicates that an email from a sender in Internet Protocol version 4 (IPv4) should match;
- ip6 – indicates that an email from a sender in Internet Protocol version 6 (IPv6) should match;
- mx – specifies that if the domain name has mail exchanger record (mx) that resolves domain of a sender, it should match;
- a – if a sender has an address record A or AAAA it should match if resolved to the sender’s address.
SPF Record Example
After you followed all the steps above your SPF record should look like this example record:
v=spf1ip4:30.1124.300.302 include:thirdpartydomain.com ~all
The SPF TXT record above starts with the SPF version, followed by the appropriate IP address(es), then the third party domain is included (if you have one), and finished with a tag -all.
Another example of the way your TXT records can look like is:
v=spf1 a mx ip4:30.1124.300.302 include:thirdpartydomain.com ~all
Here, the specific domain uses an ‘a’ mechanism and a ‘mx’ mechanism, therefore they are included in the SPF TXT record.
How to Optimize SPF Records
The SPF standard methods require that any SPF record must comply with the “10-DNS-lookup” limit. That means that any SPF record that causes more than 10 DNS queries is not valid, and any attempt to authenticate SPF for an email from that specific domain will lead to an error.
The “include”, “a”, “mx”, “ptr”, and “exists” mechanisms and the redirect modifier do count against this limit. The “all”, “ip4”, and “ip6” mechanisms do not require DNS lookups and therefore, do not count against the “10-DNS-lookup” limit. So, how can you optimize your SPF record in order to send email and contact your customers?
Avoid Costly SPF Mechanisms
Re-think using the “mx” mechanism. It makes an SPF record look simpler, but it always triggers a DNS lookup that counts against the 10-DNS-lookup limit.
Instead of “mx”, consider the “ip4” and “ip6” mechanisms to list the IP addresses your host and MX record send emails from. Though your SPF record will look longer, it will be actually smaller from the perspective of DNS queries, as a single “mx” mechanism costs more than 20 “ip4” mechanisms.
Similarly, avoid the “a” mechanism as it can also be replaced with “ip4” or “ip6”.
Also, don’t use “ptr” as they are deprecated by the current SPF RFC.
IP Addresses Verification
If you have many “ip4” and “ip6” mechanisms, make sure they’re not excessive. Are there any IP addresses that you are not using? Are there any IP address ranges that can be merged? For example, “ip4:x.y.z.4/24” and “ip4:x.y.z.5/24” can be replaced with “ip4:x.y.z.4/23”.
CIDR blocks generated from IP address ranges can sometimes give very inefficient representations. The IP range 10.11.12.1-10.11.12.254 needs 14 “ip4” mechanisms to represent precisely. Instead, you can use the single mechanism “ip4:10.11.12.0/24”, even if you’re not sending any email from the .0 or .254 addresses.
You don’t need a “~all” or “-all” at the end of a TXT record that is only included in another SPF record, not used directly. It won’t do any harm but it eats a few characters.
Split Your SPF Record
An SPF record can contain one or more strings of text and each string can contain no more than 255 characters. An SPF checker will take all of the strings in a TXT record and bind them together before it starts looking at the content. So you can have more than 255 characters in the SPF record by splitting it into more than one string.
But keep your DNS packets less than 512 bytes long. Count the DNS overhead for a reply that contains a single TXT record with two strings which is about 34 bytes, then add the length of the hostname that’s being queried. So, to comply with the 512-byte limit, you need to break your SPF into pieces of no more than 478 minus the length of the hostname.
Then you need to break that SPF data into two strings. Because they will be bonded with no white space added, you need to include the space at the end of the first string or the beginning of the second string.
Test Your SPF Record
Optimizing the SPF record is important but difficult. To help you do it, GlockApps created an SPF checking tool to help you perform an SPF check.
Enter your domain and click “Check SPF” to check your SPF record. Or you can copy-paste your SPF record to check its syntax.
The GlockApps SPF Flattener:
– checks if the SPF record syntax is correct;
– makes sure the number of mechanisms and modifiers in the SPF record that do DNS lookups is under 10;
– “flattens” the SPF record into a list of plain IP addresses, so that you can check them one by one, in case you need to track down some obstinate SPF issues.
With the GlockApps DMARC Analytics, you can determine any illegal domains sending on behalf of your domain and make sure that all your legal sources pass the SPF, DKIM, and DMARC authentication.
Start using DMARC Analytics right now with 10,000 free monthly DMARC messages and unlimited domains to get the data and analyze your email traffic.
Every email marketer sending email should know how important it is to not only implement SPF records, but also optimize them to protect their sending reputation and avoid spoofing and phishing attacks.
Only authorized senders will be able to send mail on your behalf without being rejected by mail servers. Be sure to define all sending domains including your primary domain and third party services in your SPF within your DNS records and exclude any non sending domain.
In order to achieve the best results from your email marketing efforts and avoid being marked as spam, publish an optimized SPF record and perform an SPF check frequently. This will help ensure any unauthorized mail server is not sending spam mail using your domain.
More Information About SPF:
GlockApps Spam Testing for Marketers and Agencies
Test your email placement
Scan your emails through all the major spam filters before you send them.
Improve your deliverability
Get actionable tips for improving the delivery rate of every email you send.
Increase your revenue
Improve your overall email performance by delivering more emails to the inbox.