Back to Course
Լight modeDark mode

How to create and publish SPF records?

You can create an SPF record manually or with the use of an online SPF record generator tool. The advantages of using a tool to create your record rather than doing it manually are: 

  • It's free 
  • It provides accurate results 
  • It helps you avoid human errors 

Once you've figured out how you want to go about it, given below are the steps to get started. 

1. Gather the List of IP Addresses That You Use for Sending Emails

As each SPF record corresponds to a distinct domain, start by compiling a list of all your domains. To safeguard them from abuse, ensure to include inactive (or “parked”) domains that don’t send an email.

Additionally, you must list all sources (third parties) who send emails on your behalf and everything else that sends emails from your domain(s). This comprises:

  • Postal Servers (both web-based like Gmail or via your ISP and in-office like Microsoft Exchange)
  • Companies that offer bulk email services and email marketing are called ESPs (Email Service Providers).
  • Other services (such as payment processors, e-commerce services, support/ticketing systems, etc.)

2. Include All Sending Domains

Most businesses possess a wide variety of domains. Some of them are still dormant, while others are used for sending emails. Do they, therefore, need to use SPF to protect each of their domains? Yes, it is the answer. Let’s say the company decides to set up an SPF record just for its sending domains. In that instance, attackers will find the non-sending domains to be an easy target.

3. Create an SPF Record for Your Domain

  • Specify the SPF version first. The version number always comes first in an SPF record. (v=spf1)
  • All the IP addresses your company has permitted to send emails on behalf of your brand should follow the v=spf1 SPF version tag. v=spf1 ip4: -all, for instance
  • The next step is adding the tag for outside companies that have permission to send emails on your organization’s behalf. For instance, include: (An example domain name is in this case). The significance of this tag is that it will list any third-party company authorized to send emails on your enterprise domain’s behalf. Consult the third-party organization to decide which domain you should put as the value of the include statement.

You can expedite this process by using an online SPF record generator tool. 

4. Configure your level of enforcement

  • After implementing all include tags and IP addresses, finish the record with an ~all, -all, or ?all tag.
  • The -all tag denotes a hard failure, whereas the ~all tag indicates a soft failure. 
  • Any server may deliver emails from your organizational domain, thanks to the ?all tag. We do not advise utilizing this option as it leaves the server open to spoofing.

You can choose among the following modes: 

  • Fail (-all)
  • Soft-fail (~all)
  • Neutral (?all) 

How to publish the SPF record on your DNS?

When you’re done with the generating process, you need to add the SPF record to your domain’s DNS. 

Your DNS manager needs to publish an SPF record in your DNS. This may be an internal position inside your company, you could have direct access to a dashboard offered by your DNS provider, or you could request that they publish the record for you.

If you are publishing your record on your own, 

  • Access your DNS management console 
  • Open your Advanced DNS Editor 
  •  Create a new record with the following specifications:

Type: TXT

TTL: 1 hour

Host: @ 

Value: [Your generated SPF record value]

  • Save changes to your record
  • Wait for 24 hours (or more depending on your DNS provider) to activate the protocol  

Steps after publishing

Using an online SPF checker tool, you may validate your SPF record after publishing your record. This enables you to examine SPF records in a matter of seconds quickly and identifies any issues that may be impeding the effectiveness of your email authentication system.

How to check your SPF record? 

To check your SPF record you can use an online SPF record lookup tool to make sure your record is devoid of errors, is functional, and configured properly. 

Note that SPF alone cannot protect your domain against email-based attacks. 


Course content
Email Authentication Fundamentals