Back to Course
Լight modeDark mode

Creating and Optimizing SPF records for your own domain

You can create an SPF record manually or with the use of an online SPF record generator tool. The advantages of using a tool to create your record rather than doing it manually are: 

  • It's free 
  • It provides accurate results 
  • It helps you avoid human errors 

Once you've figured out how you want to go about it, given below are the steps to get started. 

1. Gather the List of IP Addresses That You Use for Sending Emails

As each SPF record corresponds to a distinct domain, start by compiling a list of all your domains. To safeguard them from abuse, ensure to include inactive (or “parked”) domains that don’t send an email.

Additionally, you must list all sources (third parties) who send emails on your behalf and everything else that sends emails from your domain(s). This comprises:

  • Postal Servers (both web-based like Gmail or via your ISP and in-office like Microsoft Exchange)
  • Companies that offer bulk email services and email marketing are called ESPs (Email Service Providers).
  • Other services (such as payment processors, e-commerce services, support/ticketing systems, etc.)

2. Include All Sending Domains

Most businesses possess a wide variety of domains. Some of them are still dormant, while others are used for sending emails. Do they, therefore, need to use SPF to protect each of their domains? Yes, it is the answer. Let’s say the company decides to set up an SPF record just for its sending domains. In that instance, attackers will find the non-sending domains to be an easy target.

3. Create an SPF Record for Your Domain

  • Specify the SPF version first. The version number always comes first in an SPF record. The document is designated as SPF using the tag v=spf2 (version 2).
  • All the IP addresses your company has permitted to send emails on behalf of your brand should follow the v=spf2 SPF version tag. v=spf1 ip4: xxx.xxx.xxx.xxx -all, for instance
  • The next step is adding the tag for outside companies that have permission to send emails on your organization’s behalf. For instance, include thirdpartydomain.com. (An example domain name is thirdpartydomain.com in this case). The significance of this tag is that it will list any third-party company authorized to send emails on your enterprise domain’s behalf. Consult the third-party organization to decide which domain you should put as the value of the include statement.

You can expedite this process by using an online SPF record generator tool. 

4. Configure your level of enforcement

  • After implementing all include tags and IP addresses, finish the record with an ~all, -all, or ?all tag.
  • The -all tag denotes a hard failure, whereas the ~all tag indicates a soft failure. 
  • Any server may deliver emails from your organizational domain, thanks to the ?all tag. We do not advise utilizing this option as it leaves the server open to spoofing.

You can choose among the following modes: 

  • Fail (-all)
  • Soft-fail (~all)
  • Neutral (?all) 

How to publish the SPF record on your DNS?

When you’re done with the generating process, you need to add the SPF record to your domain’s DNS. 

Your DNS manager needs to publish an SPF record in your DNS. This may be an internal position inside your company, you could have direct access to a dashboard offered by your DNS provider, or you could request that they publish the record for you.

If you are publishing your record on your own, 

  • Access your DNS management console 
  • Open your Advanced DNS Editor 
  •  Create a new record with the following specifications:

Type: TXT

TTL: 1 hour

Host: @ 

Value: [Your generated SPF record value]

  • Save changes to your record
  • Wait for 24 hours (or more depending on your DNS provider) to activate the protocol  

Steps after publishing

Using an online SPF checker tool, you may validate your SPF record after publishing your record. This enables you to examine SPF records in a matter of seconds quickly and identifies any issues that may be impeding the effectiveness of your email authentication system.

How to check your SPF record? 

To check your SPF record you can use an online SPF record lookup tool to make sure your record is devoid of errors, is functional, and configured properly. 

Note that SPF alone cannot protect your domain against email-based attacks. 

How to Optimize your SPF Record

Create a Brand New SPF Record

Creating an SPF record is simply publishing a TXT record in your domain’s DNS to configure SPF for your domain. This is a mandatory step that comes before you start on how to optimize the SPF record. If you are just starting out with authentication and unsure about the syntax, you can use an SPF record generator to create an SPF record for your domain.

An SPF record entry with a correct syntax will look something like this:

v=spf1  ip4:38.146.237 include:example.com -all

v=spf1

Specifies the version of SPF being used

ip4/ip6

This mechanism specifies the valid IP addresses that are authorized to send emails from your domain.

include

This mechanism tells the receiving servers to include the values for the SPF record of the specified domain.

-all

This mechanism specifies that emails that are not SPF compliant would be rejected. This is the recommended tag you can use while publishing your SPF record. However, it can be replaced with ~ for SPF Soft Fail (non-compliant emails would be marked as soft fail but would still be accepted) Or + which specifies that any and every server would be allowed to send emails on behalf of your domain, which is strongly discouraged.

 
 

If you already have SPF configured for your domain, you can also use an SPF record checker to look up and validate your SPF record and detect issues.

Steps to Optimize your SPF Record

In order to promptly modify your SPF record you can use the following SPF best practices:

  • Try typing down your email sources in decreasing order of importance from left to right in your SPF record
  • Remove obsolete email sources from your DNS
  • Use IP4/IP6 mechanisms instead of A and MX
  • Keep your number of INCLUDE mechanisms as low as possible and avoid nested includes
  • Do not publish more than one SPF record for the same domain in your DNS
  • Make sure your SPF record doesn’t contain any redundant white spaces or syntax errors
 
 
 
Course content
Advanced Email Authentication Course