in Resources

An In-Depth Guide to SPF Records for Email Deliverability

Sender Policy Framework (SPF) records are an important tool for improving email deliverability and preventing spoofing. This comprehensive guide will provide everything you need to know to properly configure SPF for your domain.

What Are SPF Records and Why Do They Matter?

SPF records allow you to specify which mail servers are authorized to send email on behalf of your domain. By creating an SPF record, you enable recipient servers to validate that incoming mail claiming to be from your domain is authentic.

SPF helps prevent:

  • Email spoofing – fake mail pretending to come from your domain
  • Spam sent from unauthorized servers to bypass filters
  • Rejection or flagging of your legitimate email by recipients

Properly setting up SPF is crucial to ensure your emails reliably reach the inbox. Configured correctly, SPF records can improve your email deliverability and protect your sending reputation.

A List of Common Email Provider SPF Records

Many popular email services provide SPF records you can include to authorize their servers. Here are some of the most common SPF records:

Google Workspace

v=spf1 include:_spf.google.com ~all

Authorizes Google‘s servers to send mail for your domain. One of the most widely used SPF records.

Microsoft 365

v=spf1 include:spf.protection.outlook.com -all

Authorizes Microsoft‘s servers to send mail through 365 accounts.

Zoho Mail

v=spf1 mx include:zoho.com ~all

Authorizes Zoho‘s mail servers and includes their domain.

Mailgun

v=spf1 include:mailgun.org ~all

Includes Mailgun‘s domain to authorize their service.

SendGrid

v=spf1 a include:sendgrid.net -all

Authorizes SendGrid‘s servers specifically.

Amazon SES

v=spf1 include:amazonses.com ~all

Allows Amazon SES to send as your domain.

And many more! Refer to your email provider‘s documentation for their specific recommended SPF record syntax.

SPF Record Syntax and Mechanics

Now that we‘ve seen some examples, let‘s break down the syntax and terminology to understand how SPF records work under the hood.

An SPF record is formatted as a TXT DNS entry with a specific syntax:

v=spf1 [mechanisms] [modifiers]

Some key components of SPF syntax:

Mechanisms – Specify authorized servers, such as:

  • a – Allow this IP address
  • mx – Allow mail servers listed in MX records
  • include – Allow other domains/services

Modifiers – Alter checks andbehavior:

  • ~all – Soft fail unknown servers
  • -all – Hard fail unknown servers
  • ?all – Neutral for unknown servers

v=spf1 – Identifies this as an SPF record per the standard

Multiple mechanisms and modifiers can be combined in one record by separating them with spaces.

Now let‘s look at some examples to see SPF syntax in action.

Allowing Specific IPs

The "a" mechanism allows you to specify IP addresses:

v=spf1 a:192.168.1.1 a:198.51.100.17 ~all

This authorizes only the two specified IPs to send mail.

Allowing Your Own Domains and Servers

The "mx" mechanism references your MX records:

v=spf1 mx ~all

This permits sending from your own mail servers.

The "include" mechanism allows other domains: 

v=spf1 include:otherdomain.com ~all

This authorizes otherdomain.com to send mail.

Blocking Unknown Servers

The "-all" modifier changes the default behavior from neutral to fail:

v=spf1 -all

This blocks any non-authorized servers from sending.

Publishing and Troubleshooting SPF Records

Now that you understand SPF syntax, let‘s go over the publishing process and how to diagnose issues.

To publish an SPF record:

  • Format the record as a TXT entry for your root domain
  • Add the entry in your DNS management dashboard
  • Allow up to 48 hours for propagation

To validate your SPF records, use an online SPF checking tool to:

  • Confirm the record is properly formatted
  • Identify syntax errors causing problems
  • Verify your authorized servers are aligned

Common SPF issues to check for:

  • Typos or malformed syntax
  • Incorrect or missing "include" domains
  • Too broad "allow" mechanisms
  • Conflicting records and directives

Adjust your record based on error messages until the checker confirms your record is valid.

Advanced SPF Record Optimization

Once you‘ve got the basics down, there are further optimizations possible:

SPF Flattening

Flattening consolidates complex multi-include SPF records into a simplified format for faster processing. Flatteners are available online.

DMARC Alignment

Use DMARC policies and reports to confirm SPF blocking aligns with DMARC enforcement. Tune SPF and DMARC in tandem.

Backups and Fallbacks

Consider adding fallback mechanisms like "ptr" to allow valid dynamic IPs. Also implement backup SPF records.

Limitations and Drawbacks of SPF

While SPF is a powerful tool, it has some limitations:

  • Not universally adopted by all recipients
  • Only covers email envelope sender, not display name spoofing
  • Lookup process can slow mail delivery
  • No way to whitelist authorized 3rd party senders
  • Records can get long and complex when combining multiple services

Workarounds and alternatives like DKIM help compensate for some of these drawbacks.

Conclusion and Additional Resources

Properly configuring SPF records is a foundational step to improve email authentication and deliverability. This guide provided everything you need to know to implement SPF records for your domain across major email providers. Check out these additional resources for more technical details:

SPF RFC Specification
SPF Record Validator
DMARC SPF Alignment Guide

With your SPF records precisely tuned, you can protect your domain‘s reputation, stop spoofing, and keep your emails landing in the inbox.

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.