A Sender Policy Framework (SPF) record is a DNS record that identifies specific mail servers that are allowed to send email on behalf of your domain.
This article will help you understand why these records are important, and why you should create one for your domain.
Why SPF Matters
Have you ever received one of those nonsense emails that looks like it’s from PayPal, but is actually from a spammer posing as PayPal? This is called a “spoof” email, because it’s quite easy to fake the domain associated with an email (like PayPal in this case). SPF is a widely adopted standard to help battle spoofing. In fact it was defined in RFC 7208 (Internet Engineering Task Force (IETF) for email standardisations back in April 2014. 9 years later and we are still amazed that some business just don’t have this configured.
An SPF record configured at your DNS hosting provider is essentially a list of the servers that are allowed to send email for your domain. It does need to be formatted in a very specific way and can look a little scary if you don’t work with DNS records regularly, but at its heart, that’s all it is
Scenario 1 – You don’t have SPF set up.
Steve’s server: Hey, Dean’s server. I’ve got a new message from Steve.
Dean’s server: Hi Steve’s server. What’s your SPF?
Steve’s server: Yeah, about the SPF… Who cares, really. I don’t have one. Trust me, it’s from Steve.
Dean’s server: If you don’t have SPF, I can’t be sure it was Steve who sent this. Give me Steve’s allowed IPs, so I can compare it with yours.
Steve’s server: I don’t have the list of Steve’s allowed IPs.
Dean’s server: Then I don’t want your message. Delivery denied.
Scenario 2 – You do have SPF set up.
Steve’s server: Hey, Dean’s server. I’ve got a new message from Steve.
Dean’s server: Hi Steve’s server. What’s your SPF?
Steve’s server: There you go, here’s my SPF. There’s a whole list of IPs that Steve himself declared as the ones that can be used on his behalf.
Dean’s server: Ok, let me see… And the message you have for me is sent from ‘Protection.outlook.com’. Ok, it’s on the list. Everything looks fine. I’ll accept the message, I’ll show it to Dean. Thanks!
This may be an oversimplification of the process, but that is all thats going on behind the scenes. The moral of those two short dialogues is: set your SPF. If you don’t, you run the risk of having your email hacked, domain spoofed or you may look like a bad guy, and not all your emails will be delivered, which is perhaps the most important take away from this article. This is because SPF checking is what most enterprise Anti-Spam systems will do to check your email is genuine!
How to edit the SPF at Your DNS Hosting Provider
It is very likely that you already have an SPF record for your domain. If so, all you need to do is find that existing record and correct the mistake or add additional server to it. Do not create an additional SPF record as you are only allowed to have a single SPF record for a domain.
Look through your records there for any that are type TXT that starts with v=spf1. (If you do not find one there, you’ll need to skip down to the next section to create a new one.) Edit that record to add the correct details after the v=sp1 but before the closing end. The end of an SPF record will be either -all, ~all, ?all, or +all — the new include needs to be before that.
For example, if your current record looks like this:
v=spf1 a mx include:_spf.google.com ~all
and you need to add Microsoft 365 in for example, you will just edit that record to add include:protection.outlook.com and it will look like this when you’re finished:
v=spf1 a mx include:_spf.google.com include:protection.outlook.com ~all
How to create a New SPF Record at Your DNS Hosting Provider
If you do not have an SPF record at your DNS hosting provider, you will need to create one to include the required servers.
SPF records are added to your DNS as a TXT type record. For example, if you needed to add Microsoft 365 as your servers then you would set the TXT record to this:
v=spf1 include:protection.outlook.com ~all
This record tells other email servers that emails that come via Microsoft 365 from your domain is valid.