Skip to content

dnssystem.org

DNS blog

  • 5 common DNS mistakes
    5 common DNS mistakes DNS
  • How to choose the best DNS hosting provider
    How to choose the best DNS hosting provider for me? DNS
  • Premium DNS
    Benefits of using Premium DNS DNS
  • DNS MX record
    What is a DNS MX record, and how does it work? DNS records
  • DNS A record
    A record, the king of the DNS records DNS
  • DDoS attack
    Why is DDoS attack so dangerous? DDoS attack
  • Anycast DNS explained
    Anycast DNS explained DNS
  • DNSSEC
    What is DNSSEC? DNS

What is an SPF record?

Posted on April 13, 2021December 7, 2022 By Mario No Comments on What is an SPF record?

Emails from your company are very important and delicate stuff. They are part of your image, the trustability clients have on you, and therefore, an attractive tool for criminals to get profit through phishing and other illegal activities. Suspicious use of them can be painful for a business and a reason to be banned. 

SPF means Sender Policy Framework. This DNS record is in itself a system that validates legitimate emails. SPF record recognizes the mail servers allowed to send emails in your company’s name (domain). It enhances the trustability of your email server while preventing domain spoofing.

How to start managing SPF records for your domain name?

How does the SPF record works?

SPF record allows domain owners to build a public list of their approved senders (outgoing mail servers) together with their IPs. With this list, servers that receive mails can verify if the email comes from an allowed server to send on your business behalf. When the message comes from a server not established on the list, the receiving server will take it as fake.

Rephrasing this, receiving servers get the SPF record of the domain to check if the originating mail server’s IP is valid or not, meaning, approved or not to send emails on your domain’s behalf.

To validate the originating mail server, what SPF serves to check is not the from, but the return-path value. Return-path is a hidden email header for receiving servers to communicate sending mail servers about delivery issues. Return-path is also useful to validate senders’ identity.

Why should you have SPF records on your domain?

  • Emails have a chance to be delivered even without having SPF records, but to increase it and have 100% proper deliverability, you definitely need them.
  • It raises Internet service providers’ trust about your identity and purposes, so chances are higher for emails to arrive directly into the inbox instead of being considered spam.
  • It reduces misdirected bounces (backscatter) risk. Spam’s common side effect is it produces wrong automated messages of bouncing that get sent by mail servers.
  • Domains with SPF records are less attractive for criminals (phishers, spammers…) because fake emails can be trapped directly by spam filters. Once those filters look for the SPF record and realize they are forge emails, they will receive spam treatment.
  • SPF needs to be combined with other authentication tools and protocols (DKIM, DMARC, etc.) to be totally effective. Having it in your domain is the beginning of a security shield to prevent abuse and enhance deliverability.

How does SPF look like?

It looks this way:

  • Hostname: yourdomain.com 
  • Type: SPF
  • Directing to: v=spf1 include:_spf.yourdomain.com~all
  • TTL (Time To Live): 1 hour.

The “v=” points to the SPF version. The next words are called mechanisms. Actions are used to decide if a domain is allowed to send mail. And the last “~all” indicates that if those established mechanisms don’t match, the message must be rejected.

SPF mechanisms

Let’s explore some common SPF’s actions.

+a – the host is authorize to send emails. 

~all, in any case, matches, but if it is another server send to spam.

Mx – specify A or AAAA records for each MX record.  

Ip4 – IPv4 address or range that will be use with the rules. 

Ip6 – Pv6 address or range that will be use with the rules. 

SPF qualifiers

Mechanisms can be combined with qualifiers such as the following:

  • – Minus is used for FAIL. Meaning the message must be rejected.
  • ~ Tilde is used for SOFT FAIL. Usually, these messages are accepted but also tagged as fails. 
  • ? Question mark is used for NEUTRAL, which means no policy (none).
  • + Plus is used for PASS. Accept the message.

Conclusion

Setting up SPF records for your domain helps you protect it from forge emails phishing your clients’ private data. And it also improves your emails’ chances to arrive in their natural safe-haven, clients’ inboxes.

DNS records Tags:DNS records, Sender Policy Framework, SPF record

Post navigation

Previous Post: Benefits of using Cloud DNS service
Next Post: Round – Robin DNS explained

Related Posts

  • DNS A record
    A record, the king of the DNS records DNS
  • TLSA record
    What is a TLSA record? DNS
  • DNSSEC
    What is DNSSEC? DNS
  • What is PTR Record
    What is a PTR record, and do I need to create one? DNS
  • DNS MX record
    What is a DNS MX record, and how does it work? DNS records
  • rDNS
    rDNS: What is it and how does it work? DNS

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

RECENT POSTS

  • Why is DDoS attack so dangerous?
  • Private DNS server – Definition & Details
  • Authoritative DNS server – everything you need to know
  • rDNS: What is it and how does it work?
  • Anycast DNS explained

CATEGORIES

  • DDoS attack
  • DNS
  • DNS records
  • Servers

ARCHIVES

  • July 2022
  • April 2022
  • January 2022
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • April 2021
  • March 2021
  • February 2021
  • TLSA record
    What is a TLSA record? DNS
  • DNSSEC
    What is DNSSEC? DNS
  • 5 common DNS mistakes
    5 common DNS mistakes DNS
  • Round-Robin DNS
    Round – Robin DNS explained DNS
  • DNS MX record
    What is a DNS MX record, and how does it work? DNS records
  • Cloud DNS service
    Benefits of using Cloud DNS service DNS
  • DDoS attack
    Why is DDoS attack so dangerous? DDoS attack
  • DNS Failover
    Why do we need DNS Failover? DNS

Copyright © 2025 dnssystem.org.

Powered by PressBook News WordPress theme