What is a SPF record?

A SPF record (Sender Policy Framework record) is the core of a SPF implementation in which the SPF policy is defined. A SPF record is published in the DNS (Domain Name Service) and it contains a list of authorised email servers which can send email on behalf of your domain name. If an email sender isn’t listed in the record section and does send email on behalf of your domain this email could be considered not legit and can be rejected by the mail receiver.

Having proper setup SPF record will improve email deliverability and will help to protect your domain against malicious emails sent on behalf of your domain. Though, in practice these goals are achieved more effective if you use a SPF record together with DMARC. DMARC and DMARC Analyzer use both SPF and DKIM. Together they provide synergy and the best result for email security and deliverability.

SPF record in practice

A SPF record consists of several parts. It should always start with a version number and should be followed by one or more mechanisms which define valid senders.

v=spf1
This part defines the record as SPF. A SPF record has to start with this section. These used to be an second version of SPF (SenderID) which was created by Microsoft, but this was deprecated.

Mechanisms
A SPF record can contain multiple mechanisms.

a
a:somedomain.com
a/prefix
a:somedomain.com/prefix

Define the DNS A record of the current (or specified) domain as a valid sending source.

mx
mx:somedomain.com
mx/prefix
mx:somedomain.com/prefix

Define the DNS MX record of the current (or specified) domain as a valid sending source.

ptr
ptr:domain

Define the reverse hostname of the sending IP address as a valid sending source. (Not recommended)

ip4:ip4-address
ip4:ip4-address/prefix

Define this IPv4 address (or address range) as valid sending sources.

ip6:ip6-address
ip6:ip6-address/prefix

Define this IPv6 address (or address range) as valid sending sources.

include:domain.com
Include the SPF record for this domain as valid sending sources.

exists:domain
Check existence of an A record for a provided domain. You can use macro’s in this context to be able to do a ‘dynamic’ lookup of such a record.

all
You can define a policy for ‘all other sources’ using the ‘all’ mechanism. You should place this at the end of your SPF record providing a ‘default’ for other sources. Use a qualifier to define the policy you want to apply.

redirect=domain.com
When required you can redirect the SPF record to another domain. There can only be one modifier in each SPF record. This can not be combined with an ‘all’ mechanism as the redirect will only be followed if none of the mechanisms match.

Maximum number of lookups
When using SPF you need to take note of a limitation in this technique. The number of DNS lookups which are allowed to take place is limited to 10.

A DNS lookup is done when you query for one of these mechanisms:

  • a
  • mx
  • ptr
  • include
  • exists

Please note that the ‘nested lookups’ will also count. If an ‘included’ domain does an A and MX lookup, these will both count as lookups for your domain as well.