The creation of a Sender Policy Framework (SPF) Record is something that is managed by the person or team that manages your Domain Name Service.
The creation of an SPF record is a relatively simple process.
Generally a domain name is hosted by a service provider like WrenMaxwell and it will be accessed via a control panel or interface that allows for the creation, editing or deletion of domain records.
An SPF record is simply a text or TXT record within the domain. This is an example of a basic SPF record.
In this example the domain is wrenmaxwell.com.au (note the trailing full stop in the record as the termination of the domain).
The TTL or Time To Live provides the duration in seconds before this record should be checked again.
IN TXT is the record type (cPanel / WHM management always shows the IN while other interfaces may not)
The record content is enclosed in quote marks ( for cPanel / WHM this is standard. Other interfaces may hide the quotes or add the quotes in the background).
What is in the SPF Record ?
The example includes 3 settings:
v=spf1 is the version of SPF that is being used. Currently there is only spf version 1 so spf1 is standard.
+a says to accept the A record for the domain while +mx says accept the MX record for the domain.
-all says to fail All Other servers sending email using this domain name.
SPF Record Syntax
After the version instruction the rest of the record consists of mechanisms and qualifiers.
When an SPF record is queried, the receiving server checks the ip address of the sending server against the SPF record for the sending domain. If a mechanism matches the ip address then the qualifier for that mechanism is used to determine what action should be taken in relation to the specific email that is being processed.
Mechanisms are always processed from left to right with each mechanism tested until a match is found. Once a match is found the query is stopped and the qualifier used to return the action or response to the receiving server.
SPF Record Qualifiers
The qualifiers are the symbols:
| Qualifier | Recommendation | Comment |
| “-“ | Fail | Fail tells the receiving server that the sending server is not allowed to send for this domain |
| “+” | Pass | Pass tells the receiving server that the sending server is allowed to send for this domain |
| “~” | SoftFail | SoftFail tells the receiving server that the sending server may be accepted but is not yet specified |
| “?” | Neutral | Fail tells the receiving server that nothing is specified about this server |
There are a few other results that come from the evaluation of an SPF record but the above cover the main ones.
SPF Record Mechanisms
The are a number of mechanisms that are more commonly used and some that are not.
| Mechanism | Explanation |
| A or a | All the A records for domain are tested. If the client IP is found among them, this mechanism matches. |
| MX or mx | All the MX records for domain are tested. If the client IP is found among them, this mechanism matches. |
| IP4 | Check a specific host IP address of type version 4 |
| IP6 | Check a specific host IP address of type version 6 |
| include | include:{some.other.domain} to check the SPF record of the hosting or remote domain |
| all | refers to any other server (all other servers) and this mechanism will always match |
MX stands for MaileXchanger meaning a server or host that will manage email for the domain.
IP4 and IP6 refer to the type of IP address that is in use. A common error is to see IPv4 or IPv6 where the editor of the SPF record has inadvertently included the ‘v’ for version of the IP address, which is a common format in other forms of documentation of IP addresses but is invalid for SPF records.
The include mechanism caters for larger configurations where there may be clustered servers or regular changes to mail server hosts and the service provider, like Google gmail and Microsoft Mail, can manage their servers within domain structure that is linked from the client (your) domain SPF record.
The all mechanism should always be the last entry in an SPF record so that any other mechanisms are evaluated before this ‘catch-all’ mechanism is checked.
For a full list of all SPF Mechanisms and other parameters refer to the openspf.org page on SPF Record Syntax.
SPF Record Qualifiers and Mechanism Examples
Using the wrenmaxwell.com.au SPF record as an example.
The version instruction is standard. v=spf1
The +a says check the A records for the domain “wrenmaxwell.com.au” and if the assigned host ip address matches then ‘+’ accept it.
The +max says check the MX records for the domain “wrenmaxwell.com.au” and if the assigned host ip address matches then ‘+’ accept it.
The -all says if the sending server is any other server then “-” fail the server and do not accept the email message as it is not an authorised server.
SPF References
Configuring Microsoft Office 365 SPF Records https://technet.microsoft.com/en-au/library/dn789058(v=exchg.150).aspx
Scott Kitterman’s site at https://www.kitterman.com/spf/validate.html is a very useful set of tools.
Summary
Configuring a basic SPF record is not difficult if you are comfortable with managing your own DNS. If your email configuration is more complex than a single server or source of email, then there are many options that may be required to have a fully working SPF configuration. WrenMaxwell has been managing DNS systems for over 20 years and can assist you with your DNS support. Contact us any time for a free consultation.
This post was first published in our HelpDesk Knowledgebase at https://help.wrenmaxwell.com.au/index.php?/Knowledgebase/Article/View/27/0/Creating-SPF-Records-for-your-Domain on 26th July 2016. The information is still valid with this update 12th July 2022.