As someone in charge of a personal or business email system, it is important to understand how to check if your SPF record is correct and valid. Having an incorrect record will lead to recipients of your email not trusting what would be a legitimately sent message. Thankfully it is easy to check and once you know how, you can apply the same information to protect your business from inbound messages which are malicious.
What does SPF stand for?
SPF stands for ‘Sender Policy Framework‘.
How do SPF records work?
SPF (Sender Policy Framework) records specify the email servers which are authenticated to send on behalf of the particular domain. For example, if you have a mail server with the address of ‘mail.ourcloudnetwork.com’ and are using the domain ourcloudnetwork.com on your email address, you would include ‘mail.ourcloudnetwork.com’ in your SPF record.
If you do not specify the sending mail server in your SPF record, the user receiving your email would not be able to confirm or deny, that the person behind sending the email is legitimate or not, so they would have to assume not.
What does an SPF record look like?
An SPF record is a type of DNS record, of type; TXT. This TXT record usually belongs on a public DNS server, so it is easily visible to external users and mail systems to validate the sending server of an email address.
Here are SPF record examples from some common email systems:
Microsoft 365
v=spf1 include:spf.protection.outlook.com -all
Google Mail
v=spf1 include:_spf.google.com ~all
So, if you are only sending email from the above systems (Microsoft 365 or Google Mail), you can use the examples above and you are good to go. The problem comes when you have your own mail server, or if you have a website or external server, also needing to send emails on behalf of your domain. So lets break down each component of the SPF record.
How to check your SPF record is correct
Checking your SPF record is important as if there are any issues or your SPF record is not valid it could cause the receiving mail server to incorrectly mark your mail as spam or quarantine the email. As well as this, it is recommended that the recipient does to ‘bypass’ there spam filter for mail with misconfigured SPF records as it will be impossible for the server to them help you in identifying if an email is legitimate or has been spoofed.
Firstly to check what is currently set as your SPF record, you have a couple of options:
1. Log into your DNS provider (usually your domain registrar) and check your TXT records.
2. Use an online lookup tool such as mxtoolbox to run a public lookup for your SPF record: https://mxtoolbox.com/spf.aspx.
3. Use the command line on your own desktop to look up the SPF record: (change the text highlighted yellow to your own domain.
nslookup -q=txt ourcloudnetwork.com
Your results should look something like this:
Now you have your SPF record to hand, you can use some online tools to verify the syntax is correct and the record is valid.
A great tool I find myself using occasionally is the SPF syntax validator by Vamsoft, here. Once you have designed or written out your desired SPF record, you can paste it into the tool online and it will check that formatting and syntax is correct. This will ensure you do not encounter any issues once it is implemented.
What are the components of an SPF record?
Lets do a breakdown of my SPF record ‘v=spf1 include:spf.protection.outlook.com -all‘
Each part of the SPF record as a specific purpose, these parts are: v=spf1, include:, spf.protection.outlook.com & -all, here I will explain each part of this record, then I will go on to describe all available options you can include in your SPF record.
v=spf1 – This is the version prefix. This informs the system parsing/reading the record that this is an SPF record. In most cases this will be recipients mail server or mail filtering service.
include: – The ‘include’ mechanism defines the mail server which is authorised to send on behalf of the domain. If the senders IP address matches that of the included IP or FQDN (full qualified domain name), then the SPF check will be passed.
spf.protection.outlook.com – This is the server address which is authorised to send on behalf of our domain. In this case this record belong to Microsoft 365 as we are using the Exchange Online mail service. This comes directly after the include mechanism in the record, with no spaces between them.
all – The ‘all’ mechanism can be prefixed with various options, these are:
- -all – Using a ‘-‘ or hyphen will inform the recipients mail server to not deliver any email to the recipients inbox if the sender does not match the mail server defined in the record.
- ~all – Using a ‘~’ or tilde will inform the recipients mail server that the message should be marked as suspicious if the sender does not match the mail server defined in the record.
- +all – Using a ‘+’ or plus is not recommended. This will inform the recipients mail server to accept the message regardless of the senders ip address.
- ?all – Using a ‘?’ or question mark is also not recommended. This will inform the recipients mail server that nothing can be explicitly said about the message, keeping it neutral.
a: – Any a records which are listed in the SPF record are tested and if the senders ip address matches what any of the listed a records resolve to, then the message will pass. This could be a mail or web relay instead of a full mail server.
ip4: – ip4 allows you to specify any specific ip addresses or network subnets in your SPF record. If the sender IP address matches the specified ip address or falls within the specified network range, the message will pass.
SPF record examples
Now we know what component or ‘mechanisms’ make up an SPF record, lets take a look at some examples of SPF records that use these mechanisms.
Example 1
In this example we have allowed both Microsoft 365 services and a specific mail server on 198.123.2.3 to send on behalf of our domain. Any emails which are not sent from either server/service will be rejected by the recipient server.
v=spf1 ip4:198.123.2.4 include:spf.protection.outlook.com -all
Example 2
In this example we have allows both the Microsoft 365 services and Exclaimer services to send on behalf of our domain. Any emails which are not sent from either server/service will be rejected by the recipient server.
v=spf1 include:spf.exclaimer.net include:spf.protection.outlook.com -all
Example 3
In this example we have defined a trusted mail server of mail.ourcloudnetwork.com, included Microsoft 365 services and used a tilde ‘~’ prefixed to ‘all’. This will ensure mail from the defined service and range is passed as well as mark mail that is not from the listed sender as a softfail.
v=spf1 mx:mail.ourcloudnetwork.com include:spf.protection.outlook.com ~all