SPF Record Overview

Example SPF record: v=spf1 include:_spf.paubox.com include:_spf.google.com -all

Parts of the SPF record

• v=spf1
  • This identifies that this TXT type record is a SPF record. There are different types of TXT records so it is important that this begins the record.
• include:_spf.paubox.com include:_spf.google.com
  • These two entries approve Paubox and Google to send mail from your domain.
  • The email services that you use will typically inform you what address to input into your SPF record to approve themselves as a sender for your emails.
  • For each address listed here, DNS lookups have to be performed to find its corresponding IP address. One address may count as multiple DNS lookups. The maximum amount of DNS lookups for the SPF record is 10. To check whether a SPF record is valid, use this site: kitterman.com/spf/validate.html.
  • If you see Results - PermError SPF Permanent Error: Too many DNS lookups - you have too many addresses listed. It's best to re-evaluate if you are using all the email services listed in your SPF record and remove anything you do not use.
• -all
  • all refers to all other IP addresses. The - before all is a qualifier. There are 3 common qualifiers.
    
    • - Fail. A mailer that matches is not a valid sender
    • ~ Softfail. A mailer that matches probably isn't a valid sender, so the message should be carefully scrutinized.
    • ? Neutral. Has no effect
  • It is strongly recommended to have -all at the end of the SPF record to prevent unapproved mail senders from sending email from your domain name.
  • It is valid to have ~all at the end of the SPF record, however this is less secure and not recommended, as forged emails from your domain could still be delivered. 
  • Sometimes you will see SPF records that end with ?all. This is not good practice because it will not flag down emails that are sent from unapproved IP addresses and this would make it easier for email spoofing to occur from your domain.