chat
expand_more
Glossary

Sender Policy Framework (SPF): What It Is, How It Works, and How to Create an SPF Record

Sender Policy Framework (SPF) is an email authentication protocol that helps verify an email’s true sender. Receiving servers use SPF to check that an email comes from a server approved by the purported sending domain, preventing email spoofing and phishing attacks.

SPF is a vital part of email security and email authentication. It allows domain owners to prevent domain spoofing and protect their reputation. Without SPF in place, recipients cannot authenticate if an incoming email claiming a domain origin is, in fact, from that domain.

Domain owners can use DMARC (Domain-based Message Authentication, Reporting, and Conformance) to require that messages from their domain pass SPF before delivery.

In other words, you can use it to prevent scammers from impersonating your domain. It also helps prevent your emails from getting the dreaded spam label.

Read on to learn how SPF works, why it matters, what an SPF record looks like, how to create and validate one, and more about SPF authentication.

What Is an SPF Record? What Does It Do?

An SPF record is a DNS TXT record listing authorized email servers allowed to send emails from a specified domain. It's published in the DNS and defines SPF email authentication for your domain.

Receiving servers use SPF to verify that an incoming email is actually from your domain, rather than a spoofed impersonation. Without SPF authentication, receiving servers can’t verify whether an email is legitimate and actually from your domain.

SPF also helps improve your email deliverability. With an SPF record in place, spammers can’t use your domain for email scams, meaning your emails are less likely to be marked as spam or junk. Email servers may reject your domain’s emails if SPF isn’t present since they can’t authenticate that it's actually from your domain.

Once an SPF is in place, domain owners can (and should) add a DMARC record to the DNS. This gives receiving servers instructions on what to do with mail that appears to come from your domain but doesn’t pass SPF or DKIM authentication.

What an SPF Record Looks Like

An SPF record is a list of all IP addresses and domains authorized to send emails on behalf of your domain. It uses tags to specify IP addresses, rules, and more.

There are several tags you can use in an SPF record:

  • v: The protocol version—in this case, it’s v=spf1.

  • ip4 and ip6: The IPv4 and IPv6 addresses that can send email from the domain.

  • a: Authorizes the host(s) with an A or AAAA DNS record matching the sender's domain.

  • mx: Authorizes the host(s) specified in the domain's MX records.

  • include: Any additional domains or subdomains, if you use them to send emails or if you have a third-party email service. For example, if you send emails from IP addresses within samplesubdomain.com, add include:samplesubdomain.com in the SPF record.

  • all: Every SPF record must end with some form of all, which instructs what recipients should do if the SPF record does not match. These include -all (if it doesn’t match the record, reject it), ~all (it's marked as suspicious), ?all (recipient decides), or +all (allow all).

Here’s an example of a basic SPF record:

v=spf1 ip4:1.2.3.4 ip4:2.3.4.5 include:samplesubdomain.com ~all

In this example:

  • Two IP addresses are authorized: 1.2.3.4 and 2.3.4.5.

  • All entries from samplesubdomain.com are also authorized to send emails from the domain.

  • ~all means any emails that aren’t from a server verified in the SPF record will be marked as suspicious.

How Does SPF Work?

SPF works by allowing receiving mail servers to verify that incoming emails come from an authorized IP address for the sending domain. When an email is received, the recipient server checks the SPF record in the sender’s DNS, using the Return-Path in the email headers. It compares the IP address of the sending server to the list of authorized IP addresses in the SPF record.

  • If the IP address is on the list, the email passes SPF authentication, and the mail is delivered (subject to other checks).

  • If not, the mail is treated as specified by the SPF record's policy (-all, ~all, ?all), which may result in rejection, being marked as spam, or accepted under neutral policy.

This SPF authentication process helps prevent unauthorized senders from using your domain, protecting against email spoofing and phishing attacks.

Why Is SPF Important?

SPF is important because it enhances email security by preventing unauthorized use of your domain. There are three key reasons why SPF records are crucial to email security:

  1. Prevents Domain Spoofing: It prevents spammers and cybercriminals from spoofing your domain in email phishing and fraud attempts.

  2. Protects Domain Reputation: It protects your domain’s reputation by ensuring that only authorized servers send emails on your behalf, reducing the risk of your domain being associated with spam or malicious emails.

  3. Improves Email Deliverability: It improves your domain’s email deliverability rate by reducing the likelihood of your emails being marked as spam or rejected by recipient servers.

By using an SPF record, you’re making it harder for spammers and cybercriminals to send malicious emails using your domain. These emails are, at best, annoying junk and, at worst, dangerous phishing and ransomware attempts.

How To Create and Validate an SPF Record

Creating and validating an SPF record involves a few key steps to ensure SPF authentication is properly set up for your domain.

Step 1: Collect IP Addresses

Gather all IP addresses that your domain uses to send emails, including:

  • Your Email Service Provider (ESP), such as Gmail or Outlook (note: for Gmail, see Gmail Sender Policy Framework).

  • Any subdomains.

  • Third-party mail servers like Mailchimp or other email marketing platforms.

  • Cloud services or hosting providers.

Step 2: Define Your SPF Record

Establish the rules for your SPF record:

  • List the IP addresses using the ip4 and ip6 tags.

  • Include third-party servers and subdomains using the include tag.

  • Use the a and mx mechanisms if appropriate for your domain.

  • Decide on your preferred all tag (-all, ~all, ?all).

Step 3: Publish the SPF Record

Once you've constructed your SPF record, publish it in your DNS as a TXT record under your domain's DNS settings. Remember:

  • SPF records should not exceed 10 DNS lookups to avoid exceeding the DNS lookup limit.

  • The record must be under 255 characters per string; if longer, use multiple strings.

Step 4: Validate Your SPF Record

Test and validate your SPF record using an SPF record checker or SPF test tool. These tools can:

  • Verify that your SPF record exists and is correctly formatted.

  • Ensure you haven't exceeded lookup limits.

  • Confirm that all IP addresses and domains are correctly listed.

  • Identify any syntax errors or issues.

There are many free SPF record checking tools available online to perform a sender policy framework check.

Get the Latest Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Discover How It All Works

See How Abnormal AI Protects Humans

Product Platform
About Abnormal AI
Get a Demo