What are SPF Records?

SPF records are used by mail exchanges to verify which hosts are allowed to send mail for that domain. It is used to validate a sender’s identity and can help mitigate spam.

SPF records are configured using a TXT record. There are some providers that allow you to configure it through an SPF record, but it has since been deprecated.

We recommend that you always store your SPF record information in a TXT record. If you insist on using an SPF record, make sure you also have an identical TXT record.

Helpful Hints

  • Check with your DNS provider if they require you to enclose the SPF record data in quotations.
  • If your record data exceeds 255 characters, you will need to split it into multiple records.
  • You can only have one SPF record per domain.
  • SPF records are almost always created at the root of your domain. However, sometimes you may want to send email from a subdomain like: something.example.com. In that case, you would name the record something.
  • After you create your record you can test it using these free tools.

Syntax & Record Format

All SPF records begin with a v= string. This tells us which SPF version is being used.

Mechanisms

The initial v= string is followed by a series of mechanisms that will indicate different user-defined rules. The following rules indicate who can send mail for the domain:

A

The sender’s domain must have an A or AAAA record that can be resolved to the sender's address.

Syntax:

a:hostname, a:anotherhostname

MX

The domain must have an MX (Mail Exchange) record that resolves to the sender's address.

AKA: the mail must come from one of the domain’s incoming mail servers.

IP4 or IP6

The sender’s IP address must match (one of) the IP address listed in the SPF record.

Syntax:

ip4:192.0.4.0, ip4:192.9.33.4/24

EXISTS

The domain must resolve to an address. Rarely used.

PTR

This will authorize ALL subdomains and hostnames of your domain to be able to send mail. This mechanism has been deprecated and should not be used.

Qualifiers

All mechanisms, or each one individually, can be combined with a qualifier. Qualifiers dictate how mail exchanges should handle matching.

+

for a PASS result

?

for a NEUTRAL result interpreted like NONE (no policy).

~

for SOFTFAIL, a debugging aid between NEUTRAL and FAIL. Typically, messages that return a SOFTFAIL are accepted but tagged.

-

for FAIL, the mail should be rejected

Built with &
by Constellix