A SPF record (Sender Policy Framework record) is the core of a SPF implementation in which the SPF policy is defined. A SPF record is published in the DNS (Domain Name Service) and it contains a list of authorized email servers which can send email on behalf of your domain name. If an email sender isn’t listed in the record section and does send email on behalf of your domain this email may not be considered not legitimate and can be rejected by the email receiver.
Having a properly set up SPF record will improve email deliverability and will help to protect your domain against malicious emails sent on behalf of your domain. Though, in practice these goals are achieved more effectively if you use a SPF record together with DMARC. DMARC and DMARC Analyzer use both SPF and DKIM. Together they provide synergy and the best result for email security and deliverability.
A SPF record consists of several parts. It should always start with a version number and should be authorized by one or more mechanisms which define valid senders.
This part defines the record as SPF. A SPF record has to start with this section. These used to be a second version of SPF (SenderID) which was created by Microsoft, but this was discontinued.
A SPF record can contain multiple mechanisms.
Define the DNS A record of the current (or specified) domain as a valid sending source.
Define the DNS MX record of the current (or specified) domain as a valid sending source.
Define the reverse hostname of the sending IP address as a valid sending source. (Not recommended)
Define this IPv4 address (or address range) as valid sending sources.
Define this IPv6 address (or address range) as valid sending sources.
Include the SPF record for this domain as valid sending sources.
Check existence of an A record for a provided domain. You can use macros in this context to be able to do a ‘dynamic’ lookup of such a record.
You can define a policy for ‘all other sources’ using the ‘all’ mechanism. You should place this at the end of your SPF record providing a ‘default’ for other sources. Use a qualifier to define the policy you want to apply.
When required, you can redirect the SPF record to another domain. There can only be one modifier in each SPF record. This cannot be combined with an ‘all’ mechanism as the redirect will only be followed if none of the mechanisms match.
Maximum number of lookups
When using SPF you need to take note of a limitation in this technique. The number of DNS lookups which are allowed to take place is limited to 10.
A DNS lookup is done when you query for one of these mechanisms:
Please note that the ‘nested lookups’ will also count. If an ‘included’ domain does an A and MX lookup, these will both count as lookups for your domain as well.