SPF records keep track of all the authorized sources that can send email messages from your domain name. SPF works because domain administrators specify which hosts are allowed to send emails from that domain by creating an SPF record.

If SPF records didn’t exist, bad actors who spoof your domain name by sending phishing emails “from you” could arrive in your subscriber’s inboxes and cause damage to your business and reputation. Essentially, SPF records are like a spam filter that keeps dangerous emails out of your subscriber’s inbox.

But in the end, an SPF entry does not prevent a fraudster or spoofer from sending emails on your domain’s behalf. However, it will make it very difficult for that fraud traffic from ever reaching recipients.

Sender Policy Frameworks communicate with the receiving email server and question the Simple Mail Transfer Protocol (SMTP) to verify the Return-Path value in each email’s header. When an SPF record is in place, it can scan emails to find an SPF TXT record in the sender’s Domain Name System (DNS). This verifies what IP address the email came from. Then, the SPF record can compare its list of approved senders against a new email’s IP on behalf of your domain. If that IP isn’t on the SPF record, the check fails, and the email gets flagged as non-authenticated.

However, every inbox provider works differently. And while some receiving servers will bounce a non-authenticated email, others may act differently.

With non-authenticated emails, some ISPs will:

• Move it to the spam folder.

• Move it to a “quarantine zone” to be reviewed by a postmaster.

• Append a “SPAM” word to the email subject line for the reader to review.

• Not do anything, even if the SPF check fails.

We know that’s a ton of jargon to digest, and we hope you don’t feel too lost. But if you’ve taken a beat, and think you’ve got the hang of how SPF alters email delivery, let’s get into how to visually confirm that a DNS has an SPF record in place.

First, let’s quickly discuss the internet’s phone book known as the Domain Name System (DNS), which organizes and recognizes domains. When someone types a domain name or URL into the search bar of their web browser, the DNS scans the IP address where that domain name or URL is located.

An SPF record is the extra layer that adds email security. It verifies the IP address sent from your domain and makes sure that the sender is protected from email spoofing and spammers.

In their finest details, SPF records are lines of text written with specific characters that denote detailed information, enabling them to do their job. These text modules can be sub-categorized into two groups, known as mechanisms and qualifiers.

When an email triggers an SPF record mechanism, the network operator has been sure to include one of four qualifiers to indicate what action should be taken. Reading the text in an SPF, you can recognize the qualifier as the prefix to the mechanism. The following table introduces the four types of qualifiers and explains how they work:

We hope you’re warmed up because we’ll jump into an example of the TXT of an SPF record you might find on a DNS:

Before you try and read that phonetically (vespfip?), let’s get into how to categorize that line of text into digestible pieces:

v=spf1 is the standard way that most SPF record lines of TXT begin. An SPF record starts with v=, telling the readers and the DNS which version of the SPF is being used. When first implementing an SPF, the network’s authority should always use spf1, the most frequently used SPF between email interactions.

The letter a precedes an IP address that the receiving server is trying to match with received emails. When the receiving server finds a or aaaa in front of the sender’s domain, it flags the email as a match.

This tells the DNS that the following IP address is authorized to send emails. 

This is the server allowed to send emails. Note the suffix /28, which tells the DNS of the network segments that are also authorized to send emails to the recipient.

A company might use a suffix like this one to shorten the length of the text used for their SPF. If you’re thinking that doesn’t look short at all, consider how overwhelming the TXT record would be if it included every IP segment for a mega-corporation? Trust us, a suffix like this is the lesser evil.

Pun intended: By including this element, your SPF record will allow another server to send emails to another internet domain. An example of this would be an email marketing server.

Tilde is the name for that squiggly line in front of the word “all.” And for those of you keeping track at home, the tilde was on that chart above when we explained how SPF qualifiers work.

Since we know that ~ means softfail, all IP addresses not flagged by the SPF can be sent or received.

This SPF record would allow emails sent from 12.34.56.78/28 and marketingserver.com to pass through and block or softfail any email coming from anywhere else.

A Mail Exchange, or MX, tells the DNS to which recipients’ emails should be sent. With MX records, the DNS can operate according to the standard Simple Mail Transfer Protocol (SMTP).

By adding MX to your SPF record, you can update your DNS without having to completely rewrite your SPF record.

Here is an example using a piece of the SPF record from above:

v=spf1 a ip4:12.34.56.78/28 MX:example.com ~all

“Exists” double-checks to see if a record of a specified domain exists. If it does, then it passes the SPF record. This is yet another element that confirms whether a sender’s email is being sent from an IP address that your domain recognizes.

For example:

v=spf1 MX -exists:reallygoodart ~all

You’ve probably gotten the hang of SPF records and how they work. But before we send you to ask your IT department to create this domain protection TXT, we’ll tell you how to do an SPF check to see whether or not you have one in place.

This step is easy because all you need is to log into the DNS records server your or your company’s email uses and look for a TXT record. Or even simpler: use a quick DNS checker tool to look up your domain if you don’t have review/edit access to your domain DNS. It should start how most SPF record lines of TXT begin, which you’ll remember is v=spf1.

If you don’t have an SPF record set up, follow the steps below, and your sending activity will be that much safer. 

Setting up an SPF record can be simple once you have the correct elements, but you’ll need to collect a few things first. We’re talking about the hosting provider or IP address that acts as your mail server and a list of the other authorized servers. You’ll also need the login information for your DNS.

Open your internet browser and log into your DNS server.

Use the elements we listed above and draft a TXT record. 

An SPF record is there to generate results. So outline what protocols you want to establish and type out the corresponding syntax. This way, your DNS will know which qualifiers to look for and what to do when the SPF finds emails from authorized or unauthorized IP addresses.

Once you’re ready to hit save, remember that it takes some time for your new SPF record to start doing its thing, sometimes up to 48 hours.

Hopefully, you feel comfortable with SPF records and understand why you should use them. However, we want to mention that despite being an effective email security technique, SPF records shouldn ’t be your only safety net. After all, they have limitations, such as not automatically including subdomains or having a restricted character count you can use in their TXT.

Once you confirm that you have an SPF record or log in and write the TXT yourself, you should consider setting up DKIM and DMARC records. Now get out there and keep those fraudsters at bay. And if you have questions about this or the rest of your email marketing needs, Mailjet would love to help you out.