Sender Policy Framework or SPF record is a type of email authentication strategy that identifies
whether the emails that proclaim to be sent from an IP address are actually approved by the
administrators of that domain.
The record is in the form of DNS TXT which contains the list of authorized email servers that can
send an email on the behalf of your domain name.
SPF records defend your domain by preventing spammers from sending messages with bogus From:
addresses attached to your domain.
How are SPF Records Defined?
SPF records are defined using the TXT record type. An SPF record is usually defined as a single
string of text. Usually, the SPF record starts with v= element is the one which indicates the SPF
version that is being used. The most common SPF version in use is spf1 since it is easily understood
by most of the email exchanges.
v=spf1 a mx ip4:126.96.36.199 include:_spf.google.com ~all
The version indicators are followed up with terms that are made up of modifiers and mechanisms. The
terms define rules set for which hosts can send mail from the domain as well as these provide
additional information for processing the SPF record.
What are the Defined Mechanisms in an SPF Record?
The defined mechanism includes:
All: Policy for ‘all the other sources’ can be set using the ‘all’ mechanism. This should be
placed at the end of your SPF record while providing a ‘default’ for other sources. You should use a
qualifier for defining the policy that has to be applied.
a: Defines a record of the current or specified domain as an authentic sending source.
Include: Only a single SPF record is allowed for a domain but with the "include" mechanism,
multiple domains can be listed within that single record)
ip4: Defines the ip4 address
ip6: Defines the ip6 address
mx: Defines the DNS MX record for the current or specified domain as an authentic sending
Exists: This mechanism checks the existence of A record for a domain.
In order to handle a match, these mechanisms may specify qualifiers including:
+ for pass, - for fail, ~ for soft fail, ? for neutral The defined modifiers include:
exp: The ‘exp’ modifier is used for providing an explanation in case ‘–‘qualifier is present
on a mechanism which is matched.
redirect : This modifier is used when the organization has multiple domains and wants to apply
the same SPF content across multiple domains.
SPF records must limit the number of mechanisms and modifiers requiring DNS lookups to 10 per SPF
check. In order to exceed the maximum number in a single SPF record, you are required to send some
of the messages from subdomains beneath your naked domain.
How Does SPF Record Help Your Email Domain?
SPF helps in increasing the chance of your email landing in the inbox by building up the trust with
ISPs. Along with DMARC and DKIM, it serves as an extra layer of security that reduces backscatter
bounces and error notifications.
Your email will be delivered without trouble as SPF ensures that your email is secured against any
type of spoofing.
KDMARC analyses your SPF record and provides a report that allows the experts within your
organization to set the record appropriate for the organization.