Let’s face the truth: most likely, you've been a victim of email spoofing at least once (3.4 billion phishing spam emails are sent every day).
Data, money (the average cost of a data breach is more than $4 million!), reputation, and, the most important, customer trust can be lost in a matter of a second if you let the notion of phishing and domain spoofing escape your priority list.
2021 cost various companies and corporations around $6 trillion in loss due to well-planned cyber-attacks and ineffective or missing SPF settings. With 33 billion accounts expected to be breached in 2023, it's time to take action. In a world where email security is becoming increasingly important, an SPF record is a must-have tool in your digital arsenal.
Our expert team at Folderly has covered you with a step-by-step guide on how to create an SPF record and set it up effectively. Learn how to effectively protect your organization from phishing and spoofing attacks.
FYI: a basic understanding of DNS configuration and DNS TXT record is required.
The Article Walkthrough:
Components of SPF Record
Let's make sure you've got the basics down before diving into setting up an SPF record.
Just to refresh the knowledge — SPF TXT record is a list of trusted email servers that are allowed to send emails on your domain's behalf. Think of it as your digital bouncer, guarding your domain's reputation and keeping pesky spammers at bay.
At the heart of an SPF record — record syntax.. Each component of the syntax is essential for a flawless SPF record setup.
Advanced SPF syntax, something that you should always aim at, covers three primary elements:
Some of the elements are mandatory, while others are considered complementary.
Modifiers are optional and allowed only once per record. Modifiers unknown to the system are ignored.
If you use the 'redirect' modifier in your SPF record, you should not include the 'all' mechanism as well. If both are present, the 'redirect' modifier will be disregarded. Any additional 'redirect' modifiers included in the record will also be ignored.
When a message is rejected by an SMTP receiver, it can include an explanation for the sender. An SPF publisher can specify the explanation string that will be shown. This way, ISPs can guide users who don't comply with the requirements to a web page with further instructions on how to properly set up SASL.
The domain name is expanded and a TXT lookup is performed. The result of the lookup is macro-expanded and displayed to the sender, allowing for custom explanations.
Note that the 'exp' modifier in an SPF record must only include printable ASCII characters.
There are the following qualifiers:
the directive defines authorised transmitters;this is the standard, i.e. if no qualifier is specified, + is assumed
the directive defines unauthorised channels
the directive defines unauthorized transmitters, but the receiver should treat this failure generously;
this qualifier is intended for testing purposes
the directive defines channels about whose legitimacy nothing should be said; the channel must be accepted
Mechanisms & other elements
You can always consult the table to check if your SPF record is correct while adding an SPF record manually. Moreover, you should keep the following pieces of information in mind before you choose to test your SPF record:
- If you think whether can you have multiple spf records, remember this—One SPF record is ALWAYS enough for a single domain.
- No uppercase characters are allowed within an SPF entry.
- SPF record limit is 255 symbols.
- Any SPF mechanisms resolving to the same domain should be eliminated.
- Either “ip4” or “ip6” should be removed when not in use to observe if the address ranges can be merged.
- It is possible to create a subdomain to store your SPF information. This is handy when your corporation has multiple IPs to be paired with the same record.
How To Build Your SPF Record Manually
Before you learn how to create an SPF manually, you may want to ensure a couple of things.
The first thing to do would be to investigate your Return Path status. Usually, an SPF record is closely intertwined with the domain used in Return Path, not the FROM domain.
Some Email Service Providers (ESPs), like Google, use the user domain name in Return Path, so you must create a personalized SPF for your domain. Others – may use their private domain in the Return Path so that you don’t have to set up an SPF record on your own. The ESP will do it for you.
After you have checked the mentioned information, it is time to move on with the manual SPF record creation process. However, it is vital to keep in mind that the SPF TXT record implementation process may vary depending on the specific needs of the DNS hosting provider.
Step 1: Compile the list of IP addresses used to send email
A small online business may use a single IP address to send emails from, whereas larger companies usually set up multiple IPs. If you belong to the latter category, you must gather all the IP addresses in use along with the corresponding servers and list them in a single text document you can access at any time.
It is a good idea to list all the potential avenues used to send emails on behalf of your brand. Sometimes it can be a web server, an in-office email server (think Microsoft Exchange), a current ESP’s mail server, a client mailbox provider’s mail server, or any other third-party email server.
💡 To simplify the process, you may want to contact your System Admin or your ESP and inquire that they list all the IP addresses related to your account.
Step 2: Compile the list of your sending domains
One more step to take before you create your TXT SPF record is to list all the sending domains you have access to. Just like in the case of multiple IPs, a large organization may have a few domains. Such an approach is helpful when you decide to use a separate domain for a defined purpose instead of using the same domain for all marketing campaigns.
Remember we mentioned that a single domain could have only one SPF record?
❗ So, if you list more than one domain, you will have to create a separate SPF record for each manually.
The rule applies to all related domains, even if they are not used for email marketing purposes.
FYI: We know, it may seem tiresome and useless. But such an approach will ensure that no domain is spoofed and used by cybercriminals to spam your clients.
Step 3: Create Your SPF Record
Fun fact: your SPF record will compare the sender mail server’s IP to a list of authorized sender IPs published in the DNS record. Such an act allows it to validate the sender’s identity so that your emails are safe and secure.
- SPF configuration starts with a v=spf1 tag.
At present, the version of SPF should always be spf1, as it is most widely understood by mail exchanges.
- Once you’ve created the tag that specifies which version of SPF is used, it should be followed by an approved IP (ip4/ip6) and all mechanism. Like this:
- In case you are using a third-party mail sender, you must introduce an include part into the record. The tag will legitimize the third party’s involvement. It will look the following way:
- After you are through with adding all the desired IPs to the record, you should end it with an -all or ~all tag.
~ all - incoming email that failed to pass SPF check should be marked as such but allowed to proceed
- all - incoming email that failed to pass SPF check should be ignored and blocked from going further
+ all - incoming email that failed to pass SPF check is allowed to proceed
- In case you are working on an SPF record for a domain that does not send emails, it should look this way:
- The last thing to check when creating your SPF record is whether it remains within the 255-symbol limit.
Example of a correct SPF record
Summing up all the mentioned SPF setup steps, your final result should look like this:
v=spf1 a include:_spf.google.com ip4:192.168.0.1/16 ~ all
How To Set Up Your SPF Record Manually
After you have created an SPF record, it is essential that you set it up correctly. There are two steps to ensure that.
Step 1: Publish your SPF record into your DNS
With a detailed example of the SPF record at hand, it is time to publish it. There are two primary routes to take in this case:
- Reach out to your internal DNS admin and ask them to publish the record. Usually, a DNS provider enlists a special dashboard to access and publish the record.
- The other option is to personally reach out to the DNS provider and inquire that they publish your SPF records.
In case you decide to update your DNS records, you should take the following steps:
- Log into your domain account.
- Pick the domain you would like to update from the list.
- Go to the DNS record page (usually, it is a DNS manager).
- Create a new TXT SPF record and list your domain name in the Host field.
FYI: Before creating a new TXT SPF record, check whether your domain already has one. If yes — you need to update the one that already exists. If not — then create a new one. In most cases, a TXT SPF is created automatically, so it’s important to double-check before creating a new one.
- Place the sample SPF record into the TXT value field and configure the Time To Live data.
- Save or Add the record to publish it in your DNS.
Step 2: Test and check the Domain TXT records
It isn’t enough to simply set up an SPF record and publish it. You must be fully aware that it is working. Thus, the testing phase is as essential as all the previous ones. There are countless SPF record checkers available online. You can use more than one to get more reliable results.
The primary goal of such a test is to confirm that your SPF record example is valid. Moreover, you will have a complete list of all the authorized servers that can send emails on your behalf right in front of your eyes. You can instantly update the record if you notice that any of the legitimate IPs are missing.
Checkpoints to ensure the SPF record is correctly configured
To back up an online record checker results, you can check a few essential parameters to be 100% sure that you have configured the SPF record correctly.
- If the chosen checker locates your SPF record, it is configured correctly.
- It is properly set up if your SPF record does not go over 10 lookups.
- If all the listed IPs are active and used for sending emails.
The process of updating your DNS records may vary based on the DNS/web hosting provider you have.
We've also compiled a list of links to the documentation of popular providers in the table below.
Please note, this list is not exhaustive and being included in this table is not an endorsement or recommendation of any particular company. If your provider is not listed, don't worry, you can still publish an SPF record.
Amazon Route 53
Free AI Solution to Automate Your SPF Record Creation
If you don’t want to waste time manually setting up your SPF domain record, there is another effective solution to consider. Folderly presents SPF record generator anyone can access at any time and from any part of the world.
What makes it better than most?
✅ It is free.
✅ It is simple to use.
✅ You can check email health as a bonus.
✅ It is based on an innovative algorithm, faster than most.
✅ It can be integrated with the most popular ESPs.
✅ It works like an SPF charm!
Folderly Tips and Tricks To Have on Hand
- Ensure you update your SPF record every time you add or remove a tool that sends emails from your domain.
- You can have only one SPF record per domain. If you add a new app or service to your outreach and ask for your SPF record, you don’t need to generate a new one. Just edit the one you currently have and add it. Having two or more SPF records will lead to failing checks and hurting your Sender Score.
- Keep your SPF Record clean by removing any tools or applications you are no longer using from your SPF record.
- Delete any TXT records that aren’t in use, such as Google TXT verification records. We suggest using CNAMEs for validation instead.
- If you’re stuck between using -all and ~all at the end of your SPF record, we suggest picking ~all.
- When you forward an email, SPF will break. This occurs because the ‘forwarder’ becomes the new ‘sender’ of the message and may Fail SPF.
- You should not run into the 10 lookups (values) maximum.
With the ever-increasing cyber threats, taking proactive steps is the only way to stay ahead. And implementing SPF authentication is a crucial step towards securing your business.
Remember, every small step you take towards securing your business can make a huge difference. It's never too late to start, and the benefits are worth it. As the saying goes, 'Prevention is better than cure.'
So, take charge of your business's security and take action today. As you can see, creating, setting up, and testing SPF records is easier than ever with the right set of tools and proper guidance at hand. However, it's only one of the puzzles to safer email outreach. Folderly's email deliverability tool can help you determine weak points and turn those into benefits.
Let's work together towards a safer online world for everyone!