Step 1: Collect all IP addresses that are used to send email

The Sender Policy Framework (SPF) gives the ability to authenticate your email and to specify which IP addresses are allowed to send email on behalf of the specific domain.

In order to successfully implement SPF you first need to identify which mail servers are used to send email for your domain. These mail servers can be any sending organization, you should think of your Email Service Provider, Office mail server and any other third-party mail servers that may be used to send email for you.

Gathered all sending email servers?

Now you’ve got a clear overview of all sending domains, you have to create an SPF record for every domain, even if the domain doesn’t actively send email.

Step 2: Create your SPF record

  1. Start with the SPF version, this part defines the record as SPF. An SPF record should always start with the version number v=spf1 (version 1) this tag defines the record as SPF. There used to be a second version of SPF (called: SenderID), but this was discontinued.
  2. After including the v=spf1 SPF version tag you should follow with all IP addresses that are authorized to send email on your behalf. For example: v=spf1 ip4: ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e
  3. Next, you can include an include tag for every third-party organization that is used to send email on your behalf e.g. This tag indicates that this particular third party is authorized to send email on behalf of your domain. You need to consult with the third party to learn which domain to use as a value for the ‘include’ statement.
  4. Once you have implemented all IP addresses and include tags you should end your record with an ~all or -all tag. The all tag is an important part of the SPF record as it indicates what policy should be applied when ISPs detect a server which is not listed in your SPF record. If an unauthorized server does send email on behalf of your domain, action is taken according to the policy that has been published (e.g. reject the email or mark it as spam).What is the difference between these tags? You need to instruct how strict servers need to treat the emails. The ~all tag indicates a soft fail and the -all indicates a hardfail. The all tag has the following basic markers: -all Fail – servers that aren’t listed in the SPF record are not authorized to send email (not compliant emails will be rejected). ~all Softfail – If the email is received from a server that isn’t listed, the email will be marked as a soft fail (emails will be accepted but marked).
    +all We strongly recommend not to use this option, this tag allows any server to send email from your domain.
  • After defining your SPF record your record might look something like this: "v=spf1 ip4: ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e include: -all"
  • For domains that aren’t sending email, we recommend you to publish the following record v=spf1 -all Please keep in mind that your SPF record cannot be over 255 characters and has a maximum of 10 include tags, also known as “lookups”. Please note that the ‘nested lookups’ will also count. If a record has an A and MX lookup, these will both count as lookups for your domain.

Now you have created your SPF TXT record you can publish it into your DNS.

Step 3: Publish your SPF record into your DNS

Finally, after defining your SPF record it’s time to publish the record into your DNS. Doing so, mail receivers like (Gmail, Hotmail and others) can request it. An SPF record needs to be published into your DNS by your DNS manager. This can be an internal role in your organization, you can have access to a dashboard provided by your DNS provider yourself or you can ask your DNS provider to publish the record.

Access your DNS manager

Your SPF record needs to be published into your DNS;

  1. Log in to your domain account at your domain host provider;
  2. Locate the page for updating your domain’s DNS records (something like DNS management or name server management);
  3. Select the domain of which you want to modify the records;
  4. Open the DNS manager;
  5. Log in to your domain account at your domain host provider;
  6. Create a new TXT record in the TXT (text) section;
  7. Set the Host field to the name of your domain;
  8. Fill the TXT Value field with your SPF record (i.e. “v=spf1 a mx include: ~all””);
  9. Specify the Time To Live (TTL), enter 3600 or leave the default;
  10. Click “Save” or “Add Record” to publish the SPF TXT record into your DNS.

Your new SPF record can take up to 48 hours to go into effect. For help adding TXT records, contact your domain host.

The SPF record is correctly configured when:

  • The SPF record Checker has found an SPF record;
  • Your SPF record doesn’t exceed the maximum number of 10 lookups;
  • The configured IP addresses are real addresses that are used to send email from.

Views: 44

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service