Best practices

How to create and add an SPF record?

Natalia Zacholska, 2 December 2021


To publish an SPF record, you will need access to your domain’s DNS control panel. If you are using a hosting provider, this process is fairly straightforward – just check their technical documentation. If you are unsure how to do this, you can contact support team or your domain administrator for assistance.

To learn how SPF works and why it is such an important security feature, read the article “What is SPF and how to configure it for a domain?”

Where to start with creating an SPF record?

Start by gathering a list of all domains you own, as you need to update or prepare a new, separate SPF record for each domain. Make sure you also include inactive (aka parked) domains that do not send emails, to also protect them from abuse and potential phishing.

Identify all services which send messages on behalf of your domain(s), including external tools. This includes:

  • Cloud-based communications platforms that provide external SMTP servers – such as EmailLabs,
  • Mail servers (whether web-based – such as Gmail or Email Client Software like Outlook or Thunderbird),
  • Various additional tools (such as systems for Email Marketing or Marketing Automation, invoicing, ticketing, payment providers, etc.).

IMPORTANT: If the SPF record does not include all services or servers sending mails on behalf of your domain, receiving servers may direct messages into spam. Remember to update your record after any change in IP or sending tool.

How to create an SPF record?

The SPF is expressed as a single string of text, published as a DNS TXT. It consists a list of values (usually IP addresses and domain names) and tags, i.e. various mechanisms and modifiers.

Each domain must have only one SPF record.

Remember, your new SPF record may require up to 48 hours to take effect.

  • You should start building the record with a version of exactly “v=spf1”. Since other SPF versions have been discontinued, it will always match the above one.
  • After the SPF version section, list all IP addresses (or a range of addresses) that are authorized to send emails on behalf of your domain. This should be done with the ip4 (32-bit) and ip6 (128-bit) mechanisms.

For example: v=spf1 ip4: ip6:2001:db8: :cd30

 ! The given value is an example and does not point to specifics of EmailLabs servers.

  • Next you can add an “include” mechanism that authorizes third-party domains – like EmailLabs.

For example: v=spf1 ip4: ip6:2001:db8: :cd30

To authorize EmailLabs to send emails on behalf of your domain, add the following entry to your SPF TXT record:

Receiving server checks wheter an  IP from which the message was sent is indicated in ip4/ip6 or  whether it matches servers pointed by “include” mechanism.

Note: A single SPF record cannot have more than 255 character-string and should not contain more than 10 lookups to other domains or servers. Each parameter should be separated by a space.

  • Other example mechanisms:
    • “mx” incoming mail servers (MX) are permitted to send mails
    • “a” authorizes servers hosting websites to send emails

// Instruction above presents only a basic overview of the mechanisms that an SPF record can be composed with. You may find records that also include ptr, exists or redirect mechanisms//

“All” mechanism (always matches) is placed at the end of the SPF record. It indicates what policy and how strictly it should be applied when the receiving server detects a sender that is not authorized in your SPF record.

The “all” mechanism can contain various qualifiers:

  •     -all – (fail) unauthorized emails are usually rejected or marked as SPAM
  •     ~all – (softfail) unauthorized emails are usually accepted, but marked as suspicious
  •     ?all – (neutral) failed authorization does not affect delivery

For example: v=spf1 ip4: ip6:2001:db8: :cd30 ~all

Mechanisms listed after the “all” will be ignored, so remember to put it at the very end of the record.

In addition to SPF, we also recommend configuring DKIM and DMARC. The above authentication methods provide enhanced domain security and increase the likelihood of proper delivery of Emails to the recipient’s mailbox.

Most popular

Latest blog posts