Skip to content

SPF - Sender Policy Framework: An effective tool for more secure email.

What is an SPF record?

An SPF (Sender Policy Framework) record helps keep the bad guys from "spoofing" or forging a domain name when sending mail. This is important, because otherwise it's pretty easy for them to make it look like you sent the spam or unwanted mail.

Despite the complex looking syntax, an SPF record is simply a list of pre-approved sources of email for a domain. On the message recipient's end, the mail servers request the official list of pre-approved sources of mail (aka your SPF record). They then check to see if where the message came from is on that list. If it is, then the message is delivered. If the source of the message is not on that list, then the recipient server uses info provided by the SPF record to choose whether it should accept the message or not.

Remember that SPF is just one layer of securing email: It should be coupled with DKIM & DMARC to be extremely effective.

Here's what that might look like

Let's use an analogy involving Alice, Bob, and Mallory to understand how SPF works:

  1. Alice owns a company called ExampleCorp and uses email addresses from her domain (example.com) to send legitimate emails to her clients.

  2. Bob is one of Alice's clients. Bob regularly receives emails from Alice's domain and expects these emails to come from ExampleCorp's authorized mail servers.

  3. Mallory is a malicious actor who wants to trick Bob into believing that an email she sends is from ExampleCorp. Mallory attempts to send an email to Bob, pretending to be from ExampleCorp's domain (example.com).

Here's how SPF helps prevent Mallory's spoofing attempt:

  • Alice sets up an SPF record for her domain (example.com). This SPF record is a list of IP addresses & servers authorized to send emails on behalf of example.com. The SPF record is published in the DNS (Domain Name System) of example.com. It might look something like this:
v=spf1 ip4:192.0.2.0/24 include:mail.example.com -all
  • Bob's email server receives an email claiming to be from example.com. Before delivering the email to Bob, Bob's email server checks the SPF record of example.com.

  • Bob's email server queries the DNS for example.com and retrieves the SPF record. It then compares the IP address of the incoming email with the IP addresses listed in the SPF record.

  • If the email is from an IP address listed in the SPF record, the email is considered legitimate, and Bob's email server delivers it to Bob's inbox.

  • If the email is from an IP address not listed in the SPF record, the email fails the SPF check. Depending on the policy specified in the SPF record (e.g., -all (strict)), Bob's email server can reject the email or mark it as suspicious.

In this analogy: - Alice represents the legitimate domain owner who wants to protect her domain from being spoofed. - Bob represents the recipient who expects to receive emails from legitimate sources. - Mallory represents the malicious actor trying to spoof Alice's domain.

By using SPF, Alice ensures that only authorized mail servers can send emails on behalf of her domain, making it harder for Mallory to successfully spoof her emails and trick Bob.

Create the default SPF record for your domain(s)

Default SPF records

By default, all domains added to your cPanel should have an SPF record created for you already. It initially assumes all mail for the domain(s) will be sent by Fused email servers.

If SPF is not enabled for your domains, you can create the records automatically in your cPanel. Go to the Email section, then click the Authentication link. In the Authentication utility, click the Enable button under the SPF Status section.

Be sure you know all of your email sources!

An incorrect or incomplete SPF record can be more harmful than no SPF record at all. If you specifically list a legitimate mail source in your SPF record, that source will be treated as suspicious or potentially blocked outright.

When creating you SPF record, it is important to know what servers and/or services send email on behalf of your domain. For a lot of Fused customers, the default SPF configuration of perfectly fine. However, if you use a third party email service (Google Apps—aka G Suite, Office365, etc), or if you use something like MailChimp, constant contact, etc., your SPF record will need to be adjusted. Feel free to contact us for advice and help with getting your SPF record correct.

What does an SPF record look like?

So, what does an SPF record look like? Here is the one for the fuseddemo.com domain:

v=spf1 +a +mx +ip4:69.162.149.25 +include:_spf.fused.com -all

That batch of seemingly random characters breaks down like this:

  • v=spf1 - the SPF version.
  • +a - the IP (A record) returned for fuseddemo.com A Record is allowed.
  • +mx - any IP returned for the fuseddemo.com MX Records is allowed.
  • +ip4:69.162.149.25 - this specific IP is allowed.
  • +include:_spf.fused.com - An SPF include, which often includes a number of IP addresses in plaintext.
  • -all - Anything not included in the above record gets rejected by the recipient's server. ~all is used for soft fail and the recipient server should proceed, but mark the mail as potentially suspicious. If the SPF record ended in -all ('minus' versus 'tilde') anything not listed will be considered a *hard fail and the recipient server should reject the message.