Best practices

What is SPF record and how to configure it for a domain?

Natalia Zacholska, 2 December 2021


SPF (Sender Policy Framework) is a security feature used to authenticate the sender of an email. It allows providers to verify if mail server is authorized to send an email on behalf of your domain. If not, the message may be rejected, marked as SPAM, or suspicious.

Let’s start with the basics…SPF record

Every email message contains two addresses – the header indicated in the “from” [From:] and “Return-Path” (so-called MAIL FROM, envelope sender, or reverse path).

SPF refers to the domain used in the Return-Path, not the “From” address. You should first find out what return path is currently used in the emails you send.

Return-Path as its name implies – is a return address – it tells the receiving servers where to bounce the message back in case of delivery problems. It is included in the email’s hidden header, which also contains other technical details.

How does SPF record work?

To use SPF, you must publish a record you have created into the DNS of the sending domain. It contains a list of all IP addresses that are authorized to send Emails on its behalf.
When transferring a message, the incoming mail server checks the Return-Path in its header – a validation of the SPF record takes place, which consists of checking if the Email comes from one of the servers authorized by the domain’s DNS TXT record.

If yes – a connection between servers takes place and the message is handed-off. If not – the server continues to process the Email, but it does not pass authentication. In this situation (depending on the “all ” mechanism and its qualifier) it may be delivered and classified into the SPAM folder, marked as suspicious or rejected.

What is SPF format?

SPF is a TXT-type record that specifies which senders (IP addresses) are authorized to send Emails using your domain. It is published in its DNS. Detailed information on how an SPF record is formatted and how to create one can be found here.

Do you already have SPF set up? To configure it correctly and authorize EmailLabs to send Emails on behalf of your domain, add the following information into your TXT record:

 Remember, an updated SPF record may require up to 48 hours to take effect.

Why is SPF record so important?

SPF has become extremely important due to the advances brought by the growth of digital services and the increased attempts at online abuse and impersonation that this brings. It is therefore an important element for both increasing Email deliverability and security.

As many companies use a variety of tools and services to send Emails, receiving servers need some way of verifying that these are indeed authorized senders. While SPF is not a perfect security measure, and only implementing DMARC is what helps combat domain impersonation and spoofing, it, along with DKIM, is a necessary step towards its configuration.

Why using SPF record alone is not secure enough?

The SMTP protocol, which is the standard for sending Emails, does not have any security features for the “From” address. Typically, only the correctness of the sender address in terms of its structure is validated. This means that impersonating another person or company seems extremely easy. This is what led to the development of SPF as one of the first Email security features. However, it does not validate the From domain, but the Return-Path, meaning that an Email can pass SPF validation regardless of whether the From address has been forged or not.

It is worth remembering that the received Email may be authentic, but due to the outdated list of allowed senders in the SPF record, it will still be marked as suspicious. Such a genuine Email could also be forwarded, i.e. it originally came from a system authorized in SPF, but was forwarded via another one – which is no longer included in the list of allowed senders.

It is therefore important to additionally secure the Email – this may be done by DKIM, which protects the sending address by signing the message with an appropriate digital key, and DMARC, which compares whether the domain indicated by one of the above protocols (Return-Path used by SPF and/or the “d=” domain used by DKIM) matches the one in the “From” address and if so – the Email passes validation.

SPF record: Summary:

You will be able to send messages even if you do not publish an SPF record into your DNS, but setting it up correctly is an extra trust signal to providers and an increased chance that your Emails will reach the recipient’s inbox. Proper authentication is more than just verifying that whether an Email is from whom it was sent – it is a sign that you’re actively involved in creating a good Email ecosystem and keeping your recipients safe.

Spammers are less likely to spoof Emails that are sent from a domain with security implemented, as they are more likely to be caught by spam filters. Such an SPF-protected domain is far less attractive to them.

To prevent outbound Email spoofing scams, add not only SPF but also DKIM and DMARC to your domain’s DNS. This will not solve deliverability issues, but it is an extra layer that, when combined with the above standards, can improve its metrics and prevent potential fraud in the first place. If you  own a large business, also consider securing your corporate identity and trademark with BIMI.

Most popular

Latest blog posts