What is a DNS SPF record?

What is a DNS SPF record
Vitalii Poddubnyi Vitalii Poddubnyi 27 february 2024, 15:42 39
For beginners

Email is the most popular form of online communication, with 4 billion+ active users and growing. Consequently, it is the medium most targeted by hackers, spammers, and other malicious actors seeking to steal money or sensitive information.

Malicious actors often try to impersonate trusted brands to trick unsuspecting customers into giving them money or sensitive information which they could sell for profit. Luckily, senders can authenticate their email identities to avoid falling victim to impersonation. SPF is one of the main techniques for email authentication, and this article will explain how SPF records can help you protect your identity.

What Is a DNS SPF Record?

SPF is an abbreviation for Sender Policy Framework. It is a technique developed in the early 1990s to prevent malicious actors from impersonating trusted brands. It involves adding an SPF record to your domain’s DNS settings. The record lists the IP addresses of mail servers which the domain owner has authorized to send messages on behalf of their domain.

Imagine you’re hosting a party, and you provided a list of guests to your door attendant. Whenever someone shows up, the attendant checks if their name is on the list. If their name is not there, they won't be allowed into the party . That’s how SPF works, acting as a door guard with a list of IP addresses authorized to send messages from your domain.

SPF has become necessary because the standard email protocol – the Simple Mail Transfer Protocol, or SMTP – does not check the “from” addresses of emails. Hence, if a malicious actor forges an email using a trusted company’s “from” address, SMTP would allow the message to go, and the recipient might be tricked into giving up sensitive information or money.

With SPF, things are different. When a receiving server gets an email claiming to come from a particular domain, it queries the domain’s SPF DNS record to see if the sending server’s IP address is listed. If so, it allows the message to go through. If not, the receiving server considers the message inauthentic and flags it as suspicious or rejects it.

What Does an SPF Record Look Like?

An SPF record takes this format:

v=spf1 ip4:185.146.1.48 include:spf.unione.io a:myschoolsupplies.co ~all

  • v=spf1 refers to the current version of SPF in use (SPF version 1).
  • 185.146.1.48 is the IP address of a mail server authorized to send messages for our domain.
  • include:spf.unione.io is the tag for UniOne, the trusted email service provider (ESP) sending emails on our behalf.
  • myschoolsupplies.co is the domain name attached to our email address.
  • ~all is an instruction to fail anything not matching the above parameters.

The above SPF record is an instruction to flag an email claiming to come from our domain but originating from a sending server without the IP address 185.146.1.48. We’re instructing the receiving email servers that 185.146.1.48 is the only IP address of our sending server, and any message originating from another IP address is fake.

To protect our domain myschoolsupplies.co from impersonation, we’ll add the above SPF record as a TXT entry in the domain’s DNS settings.

Note the following about SPF records:

  • A domain can only have one SPF record.
  • An SPF record must end with the “all” component or “redirect” pointing to another domain’s SPF policy.
  • SPF records can not have uppercase characters.

How Does a Mail Server Check an SPF Record?

The process for checking an SPF record is pretty straightforward:

  • Server A sends an email. Its IP address is 185.146.1.48, and at the beginning of the SMTP dialog it transmits the envelope-from address john@myschoolsupplies.co.
  • Server B immediately looks up an SPF record for the domain myschoolsupplies.co. It searches the SPF record for Server A’s IP address (185.146.1.48). If this IP address is listed in the SPF record, Server B considers A’s message authentic and lets it pass through. If Server A’s IP address is not in the SPF record, Server B deems the email suspicious and flags or rejects it.

Note that this check occurs at the early stage of the SMTP dialog, even before the actual email body has been transmitted.

How to Create an SPF Record

Below, we’ll describe the process of creating and publishing an SPF record to your domain’s DNS records.

Step 1: Find Out the Authorized IP Addresses

The first step is identifying the IP addresses of the mail servers authorized to send emails from your domain. Organizations often send emails from multiple channels, so you may have several IP addresses.

If your company only runs in-house mail servers, you should know the IP addresses. If you use an external email service provider like UniOne, you should contact the support team for instructions or check the documentation page.

Step 2: List Your Sending Domains

Some companies own just one domain, while others have multiple. Regardless of which bracket you fall into, you must list all your company's domains. List all the domains your organization owns, including the ones they send emails from and the non-sending ones.

It’s vital to create SPF records for all your domains, including the non-sending ones. This action is needed because malicious actors try to spoof non-sending domains if they can’t spoof the sending domains because of SPF protection.

Step 3: Create an SPF Record

After listing all the domains, it’s time to create records for each one. Follow these steps:

  • Start with v=spf1 (which designates the current version of SPF) and list the IP address(es) authorized to send emails from your domain. For example, if only one server is allowed to send emails from this domain, and its IP address is 185.146.1.48, the first part of the SPF record becomes v=spf1 ip4: 185.146.1.48 (ip4 shows that it is an IPv4 address).
  • If you also use a third-party email service provider (ESP), you must add an “include” statement referencing the provider’s pool, which you’ll find in the provider’s documentation. We use UniOne, so the SPF record becomes v=spf1 ip4:185.146.1.48 include:spf.unione.io
  • Add “a:” followed by your domain name to also check all A-type records for the domain. The record becomes v=spf1 ip4:185.146.1.48 include:spf.unione.io a:myschoolsupplies.co
  • Close the record with an ~all or -all tag. "~all" signifies a soft SPF fail, and "-all" signifies a hard fail. A soft fail means the email is probably not authentic, but a hard fail means the email is explicitly inauthentic. Both tags result in SPF failure. The full SPF record now looks like v=spf1 ip4:185.146.1.48 include:spf.unione.io a:myschoolsupplies.co ~all

Congrats! You have created an SPF record. The next step is to add it to your domain’s DNS settings.

Step 4: Publish the SPF Record to Your DNS Settings

Log into your domain registrar and select the domain to which you want to add the SPF entry. Look for the menu to manage your DNS configurations (every registrar allows this). Add the SPF record as a TXT entry.

We use Namecheap for our domain, which makes it easy to add a TXT record to our DNS settings:

The host for the TXT entry is “@” and the value is the SPF record.

You can repeat the above steps for as many domains as you have.

Step 5: Test Your SPF Records

After adding the SPF record via your registrar, you can run a test to ensure it has reflected on your DNS settings. You can do this with a simple SPF check tool like MxToolbox or EasyDMARC. Type your domain name on the SPF checker, and the checker will list any SPF records it detects on the domain.

Related Articles

Blog
For beginners
One-Time Passwords: Authentication And More

As you may already know, a one-time password, or OTP, is a code that is valid for only one login session or transaction. You are likely already well acquainted with this technology, as it has by now been widely adopted by many businesses, from finance to online retailers.

Alex Kachalov
19 july 2023, 13:567 min
Blog
For beginners
What Is an Email Marketing Strategy: a Complete Guide
Email is one of the oldest and most widely-used forms of digital communication. With over 4 billion regular email users, ignoring this marketing channel disservices your brand.
Valeriia Dziubenko
15 november 2022, 09:3013 min
Blog
For beginners
Why Email Open Rates are Important and How to Reach Good Open Rates?
It’s one thing to send email campaigns and another for the recipients to open the emails. That’s why email marketers always pay attention to their open rates, which is the percentage of subscribers that read their emails over a specified period or within a particular campaign.
Alex Kachalov
17 november 2022, 10:009 min