Skip to content

How to setup SPF

Example Of SPF Record

TXT @ 1: v=spf1 a include: spf.google.com ~all 2: v=spf1 a include:spf.protection.outlook.com include:mailgun.org ~all

The above record will be uploaded to DNS as a TXT document for processing. The description of each element in the above SPF record format is as follows.

  • TXT: Specifies that the SPF record is stored in the DNS in text format.
  • @: Placeholder to represent the current domain.
  • v=spf1: Represents that the text record in the DNS is an SPF record of version 1.
  • a: Denotes authorization of system in ‘domain A’ record to send an email on behalf of the organization.
  • include: Authorization of a third-party, which is Google, in this case, to send emails on behalf of the domain.
  • ~all: This means that all emails will be allowed to pass through; however, suspicious emails will be flagged.

More secure SPF record

To make the SPF record even more secure in the example above you should use -all instead of ~all TXT @ 1: v=spf1 a include: spf.google.com -all 2: v=spf1 a include:spf.protection.outlook.com include:mailgun.org -all This will make the receiving mail-server reject emails that does not match this record but otherwise it will be sent to junk folder and that could be bad for business reputation.

Other parameters

  • all: Usually found at the end of each SPF record, and matches local and remote IPs
  • ipv4: Denotes that the SPF record carries an IPv4 address or a range of IPv4 addresses, and if no prefix is included, then a mask of /32 is assumed
  • ipv6: Denotes that the SPF record consists of an IPv6 address or a range of IPv6 addresses, and if no prefix is included, then a mask of /128 is assumed
  • a: Denotes all IPs in ‘DNS A’ record
  • MX: Specifies all ‘A records’ for individual “MX” records on the host’s side
  • ptr: Defines all ‘A records’ for individual “ptr” records on the host’s side
  • exists: Denotes the systems authorized to send emails on behalf of the organization within the domain
  • include: Represents the list of external domains allowed to send emails from the domain

The “all” mechanism is used to close the parsing instructions correctly and appears at the end of each SPF record. It is also used to operate if a previously parsed instruction does not work. The safest qualifier,

-all : denotes that the email should be rejected if no earlier used mechanisms are hit.

Likewise, ?all and ~all can be used if emails need to be delivered with some additional information. However, the pass qualifier.

+all: provides zero benefits to the SPF record and is not generally recommended.

More advanced example of a SPF record

v=spf1 a mx ip4:178.79.147.137/32 ip4:139.162.228.150/32 ip4:134.122.99.231/32 ip4:176.58.102.184/32 ip6:2a01:7e00::f03c:91ff:fe18:9352/128 ip6:2a01:7e00::f03c:91ff:fe16:150b/128 ip6:2a01:7e00::f03c:91ff:fe18:cd0d/128 include:spf.protection.outlook.com in clude:amazonses.com include:servers.mcsv.net include:spf1.atlassian.com include:spf2.atlassian.com include:spf3.atlassian.com include:spf.mandrillapp.com -all This is a classic information disclosure problem. You want to have as few entries in this record as you can.