SPF stands for Sender Policy Framework. SPF is used to authenticate outgoing emails. This record can be added to your domain to specify which mail servers are allowed to send your emails. Although on some domain hosts, it's possible to add both SPF and TXT type records, the correct type to use is TXT. The SPF type is deprecated and no longer recognized. If you need to add an SPF record to a domain, make sure the type selected is TXT and paste in the value for the SPF record.
Example SPF record: v=spf1 include:_spf.paubox.com include:_spf.google.com ~all
Parts of the SPF record
- v=spf1
- This identifies that this TXT type record is a SPF record. There are different types of TXT records so it is important that this begins the record.
- include:_spf.paubox.com include:_spf.google.com
- These two entries approve Paubox and Google to send mail from your domain.
- The email services that you use will typically inform you what address to input into your SPF record to approve themselves as a sender for your emails.
- For each address listed here, DNS lookups have to be performed to find its corresponding IP address. One address may count as multiple DNS lookups. The maximum amount of DNS lookups for the SPF record is 10. To check whether a SPF record is valid, use this site: kitterman.com/spf/validate.html.
- If you see Results - PermError SPF Permanent Error: Too many DNS lookups - you have too many addresses listed. It's best to re-evaluate if you are using all the email services listed in your SPF record and remove anything you do not use.
- ~all
- all refers to all other IP addresses. The ~ before all is a qualifier. There are 4 possible qualifiers.
- + Pass. A mailer that matches is a valid sender
- - Fail. A mailer that matches is not a valid sender
- ~ Softfail. A mailer that matches probably isn't a valid sender, so the message should be carefully scrutinized.
- ? Neutral. Has no effect
- The default qualifier is +. For example, include:_spf.paubox.com would default to +include:_spf.paubox.com. Therefore, having a plus sign in front of a valid mail sender is usually omitted.
- It is best to always have either ~all or -all at the end of the SPF record to prevent unapproved mail senders from sending emails from your domain name.
- Sometimes you will see SPF records that end with ?all. This is not good practice because it will not flag down emails that are sent from unapproved IP addresses and this would make it easier for email spoofing to occur from your domain.
- all refers to all other IP addresses. The ~ before all is a qualifier. There are 4 possible qualifiers.
Comments
0 comments
Please sign in to leave a comment.