Protect Your Domain from Email Spoofing with SPF Records
Email was originally built for a simpler time, when the Internet was a much smaller — and much more trusting — place. So, by design, it’s possible for anyone sending an email to claim that the message is from any email address or domain that they want — including yours.
If a spammer starts to use your domain to send out unwanted messages, it could land your domain on a spam blacklist. This will make it difficult for your users to send legitimate messages without them getting caught in spam filters. So it’s important to be able to tell other mail servers that you’re authorized to send messages on behalf of your domain.
And that’s where SPF comes in. SPF, or Sender Policy Framework, is a special DNS record that tells other mail servers from where your domain should be sending mail. Implemented as a TXT record, setting up SPF is a quick and easy way to add an extra layer of protection to your email system.
Planning for SPF
First, you’ll need to figure out where your mail should be allowed to come from. If you have an in-house mail server, then its external IP is the important one. If that’s already listed in the MX record for your domain, great — SPF has shortcuts for MX records. If you use a hosted email service, like G Suite or Office 365, look in their help documentation for how to set up SPF records.
But, there are a few other places that mail could be coming from. If you use a bulk-email service to send out newsletters or other mass emails, check their instructions for how to configure your SPF records. Many of them will have specific IPs or domains that you can easily include in your SPF record. The same goes for any other cloud-based service that is allowed to send email from your domain — it will need to be given permission via the SPF record for this.
Another potential issue to look out for is any user who uses a legacy SMTP server to send email. While most of your users should be using direct connections to your mail servers, anyone with a misconfigured mail client may have some issues sending email after you implement SPF.
Create the SPF Record
To create an SPF record, log in to your domain registrar’s site, and look for the options to modify DNS records. You’ll need to create a TXT DNS record for the root of your domain.
Then, using the information you gathered earlier, create the SPF record. It needs to start with v=spf1. Then, there are a few different directives that can be used to specify allowed senders:
ip4: or ip6 – These are used for specifying server IP addresses. Can be a single IP or a range.
mx – This represents the IP addresses found in your domain’s MX record.
a – This represents the IP address of your domain’s A record.
include – This is used to include IPs from another domain’s SPF record. Commonly used for hosted email providers and bulk-mailing services.
Finally, you need to include an all directive. This tells other servers what to do if none of the permitted senders match. Your options are:
-all – A dash-all stands for FAIL; reject the message if no records match.
~all – A tilde-all means SOFTFAIL; don’t reject the message, but mark it as likely spam.
Then, put all the parts together into an SPF record and add it as a TXT record for your domain. For example:
This SPF record says “Accept messages from servers listed in the MX record for this domain, the server 22.214.171.124, and also whatever servers are listed in Google’s SPF record. If nothing matches, then reject the message.”
Once you’ve added the text record, your SPF record should start working within 48 hours, protecting your domain from being spoofed by spammers.