If you have email, you’re familiar with spam. It seems that no matter how many protocols, filters, and walls we implement, spam always seems to be finding a way through. Not only that, but sometimes spam uses our emails to seemingly send spam. This is called spoofing. Spoofing is when a spammer changes the from address to a different, legitimate email. So while we’re not actually sending the email, it will look like the email has been sent from our email.
To help combat spoofing, you can use an SPF record.
What is an SPF record?
SPF stands for “sender policy framework.” An SPF record contains a list of IP addresses that have permission to send emails for a domain. When an email client, like Gmail or MacMail, receives an email, it can compare the sender’s IP address to the SPF record. If it doesn’t match any of the addresses in the record, the email client will know that the email isn’t legitimate and will mark it as spam.
So, by creating an SPF record for your email address, you can keep spam sent under the guise of your email address from reaching any inbox.
How to use SPF
SPF records are TXT records that are stored in the server’s DNS file. In order for the email client to read the record, it needs to be written in a specific format.
A text record will look something like the following:
v=spf1 ip4:10.20.20.0/24 ip4:10.10.10.21 -all
Parts of the SPF Record
An SPF record is made up of several different parts, each part communicating something specific to the email clients.
The version number tag, v=spf1, begins each SPF record. There are various versions, but this one specifically allows the user to identify their mail server and enables receiving servers to check incoming mail against the valid mail server.
Mechanism
An important part of the SPF record is the mechanism. The mechanism is used to establish how the IP addresses should be treated.
We will cover the basic SPF mechanisms here:
It’s important to keep in mind that there are more mechanisms available, but we’ve chosen the beginner ones to cover in this article. If you are interested in seeing more SPF mechanisms, you should check out the SPF Syntax page.
a Mechanism
The a mechanism establishes what IP addresses are allowed to send mail from a domain. In an SPF record, the a mechanism might be used like this:
v=spf1 a ip4:192.168.0.1 -all
In the example, the a record represents the IP address 1.2.3.4.5. Thus, any emails coming from IP address 1.2.3.4.5 would be deemed as valid.
If no domain is listed in conjunction with an a mechanism, then the current domain is used.
mx Mechanism
The mx mechanism allows any servers with mx to send mail for the server. mx servers are mail servers that accept messages for a domain.
In an SPF record, an mx record would be used like this:
v=spf1 mx a ip4:192.168.0.1 -all
It can be used in conjunction with the a mechanism.
ip4 Mechanism
The ip4 mechanism is used to establish the IP address’ network range. The ip4 mechanism is specifically used to identify addresses in the IPv4 network range.
An ip4 mechanism would be used like this in an SPF record:
v=spf1 mx a ip4:192.168.0.1 -all
ip6 Mechanism
The ip6 mechanism is also used to establish the IP address’ network range. ip6 is specifically used to identify addresses in the IPv6 network range.
An ip6 mechanism would be used like this in an SPF record:
v=spf1 mx a ip6:1080::8:800:0000:0000 -all
all Mechanism
The all mechanism goes at the end of the SPF record. The all mechanism always matches.
It is usually accompanied by a qualifier. The qualifier determines how all the addresses that do not match the a and mx mechanisms will be treated. See the Qualifiers section for more information.
The all mechanism is used in SPF records like this:
v=spf1 a ip4:1.2.3.4.5 -all
Qualifiers
Qualifiers can be added on to mechanisms to change the mechanism’s function.
| Qualifier | Meaning |
| + | Pass |
| – | Fail |
| ~ | Soft Fail |
| ? | Neutral |
If no qualifier is listed, then + is used by default.
While mx and a are usually left to the + default, the all mechanism is often used with a qualifier. In the SPF record example below, the -all means that all addresses that do not match the a or mx addresses will fail:
v=spf1 mx a ip4:192.168.0.1 -all
If this is your first time creating an SPF record, we recommend you use the ~ (soft fail) qualifier with the all mechanism. Since the -all combination is absolute, the SPF record has to be set up correctly or you will lose the ability to forward messages from your email.
The SPF record would cause checking servers to see the forwarded email as an email originating outside your IP address, thus rejecting. A soft fail will allow those messages to go through.
The downside to using the soft fail is that spammers may sometimes get well-disguised spam through the spam detectors.
Once you are sure your SPF record is correctly configured, you can change ~all to -all.
Using SPF in the ACC
If you are a pair Networks customer, you can use SPF records on our Shared, VPS, and Dedicated hosting accounts. To do so, follow these instructions:
- Log in to your Account Control Center
- In the left sidebar, click Domains, then click Manage Your Domain Names in the drop-down
- Click the name of the domain you want the SPF record to affect
- Click the Manage Custom DNS Records button
Note: This feature is not available on pairsite subdomains - Click the Add DNS Record button
- In the Type of Record field, select TXT from the drop-down
- Click Proceed
You can enter your SPF record syntax on this page. If you want the SPF record to work on a subdomain, enter the subdomain into the Hostname field. If you want the entire domain affected, leave this field blank. The actual SPF record syntax will go in the Text Record field.
pair Networks’ customers can add SPF records for their domains using the Account Control Center. First, access the Custom DNS interface in the ACC, as follows:
For more information on SPF record syntax, and the implications of using SPF records, go to the SPF Project website.
