What Is SPF and How to Set It Up

SPF (Sender Policy Framework) record is one of security measures against forged emails and spam in general.

SMTP protocol does not include any sender authentization. Therefore, the sender can use any email address. This way, an attacker can misuse an email address without its owner's knowledge. SPF prevents that.

This TXT DNS record lists IP addresses, that are permitted to send emails from the given domain. It also includes instructions for the receiving server, on what to do with emails coming from a different IP address. The typical SPF record might look like this:

v=spf1 mx -all

It says, that only servers listed in MX records are allowed to send e-mails for the domain and the rest should be discarded.

However, such a restrictive setting has several drawbacks. Some users are forced to use their ISP provider's SMTP servers. Others have automatic forwarding of incoming mail to a different address. In both cases, e-mails would end up discarded. Therefore, we recommend to use tilde (softfail) instead of dash (fail) in your SPF records:

v=spf1 mx ~all

Emails that come from an address not included in the SPF record will be penalized by antispam. But whether they will be delivered or discarded will also depend on other factors, based on the receiving server's settings (IP address on a blacklist, certain keywords, URLs etc.).

Another typical usecase is, when you are using a different IP address for sending newsletters than for regular mail:

v=spf1 ip4:12.34.56.78 mx ~all

You can include several IP addresses and ranges, including IPv6:

v=spf1 ip4:12.34.56.78 ip4:23.46.78.0/24 ip6:2001:db8:a0b:12f0::1 ~all

You can mix and match the different options.