Marketing Tips

How to Build Your SPF Record in 5 Simple Steps

minute read

Post Image

Did you know more than 90 percent of all cyberattacks start with email? In the evolving email landscape, danger lurks everywhere. Phishing attempts and domain spoofing attacks skyrocketed during COVID-19, increasing by 220 percent during the peak of the pandemic. 

Even the most experienced marketing teams can mistakenly expose their email programs to harm. To protect yourself, your brand, and your customers from phishing and spoofing attacks, authenticating your email is paramount. 

 SPF (Sender Policy Framework) is an authentication protocol that allows senders to specify which IP addresses are authorized to send email on behalf of a particular domain. An SPF-protected domain is less attractive to fraudsters and is therefore less likely to be blacklisted by spam filters. SPF also ensures that legitimate email from the domain is delivered. 

Ready to create your SPF record? Follow these five simple steps.

Step 1: Gather IP addresses used to send email

The first step to implement SPF is to identify which mail servers you use to send email from your domain. Many organizations send mail from a variety of places. Make a list of all your mail servers and their IP addresses, and be sure to consider whether any of the following are used to send email on behalf of your brand:

  • Web server 
  • Your email service provider’s (ESP) mail server 
  • In-office mail server (e.g., Microsoft Exchange) 
  • The mail server of your end users’ mailbox provider 
  • Any other third-party mail server used to send email on behalf of your brand 

If you’re unsure of what your IP addresses are, reach out to your ESP to get a list of the addresses associated with your account or your IT System Administrator to compile a list of IP addresses your business uses. 

Step 2: Make a list of your sending domains 

Chances are, your company owns many domains. Some of these domains are used to send email. Others aren’t. 

It’s important to create SPF records for all the domains you control, even the ones you’re not mailing from. Why? Once you’ve protected your sending domains with SPF, the first thing a criminal will do is try to spoof your non-sending domains. 

Step 3: Create your SPF record 

SPF authenticates a sender’s identity by comparing the sending mail server’s IP address to the list of authorized sending IP addresses the sender publishes in the DNS record.

Here’s how to create your SPF record: 

  • Start with v=spf1 (version 1) tag and follow it with the IP addresses that are authorized to send mail. For example, v=spf1 ip4:1.2.3.4 ip4:2.3.4.5 
  • If you use a third party to send email on behalf of the domain in question, you must add an “include” statement in your SPF record (e.g., include:thirdparty.com) to designate that third party as a legitimate sender 
  • Once you have added all authorized IP addresses and include statements, end your record with an ~all or -all tag 
  • An ~all tag indicates a soft SPF fail while an -all tag indicates a hard SPF fail. In the eyes of the major mailbox providers ~all and -all will both result in SPF failure. Validity recommends an -all as it is the most secure record. 
  • SPF records cannot be over 255 characters in length and cannot include more than ten include statements, also known as “lookups.” Here’s an example of what your record might look like: 
    • v=spf1 ip4:1.2.3.4 ip4:2.3.4.5 include:thirdparty.com -all   
  • For your domains that do not send email, the SPF record will exclude any modifier with the exception of -all. Here’s an example record for a non-sending domain: 
    • v=spf1 –all 

Congratulations! You’ve created your SPF record. Now, it’s time to publish it. 

Step 4: Publish your SPF to DNS 

Work with your DNS server administrator to publish your SPF record to DNS so mailbox providers can reference it. 

If you’re using a hosting provider such as 123-reg or GoDaddy, then this process is fairly simple. If your ISP administers your DNS records or if you aren’t sure, contact your IT department for support. Email service providers typically publish SPF records for sending domains on your behalf. 

Step 5: Test! 

Test your SPF record with an SPF check tool. You’ll be able to see what recipients see: A list of the servers authorized to send email on behalf of your sending domain. If one or more of your legitimate sending IP addresses is not listed, you can update your record to include it.

No program is bulletproof  

Don’t assume your email marketing program is bulletproof. The costs of lax email program security can range from minor business disruptions to millions of dollars in revenue loss and reputational damage.   

Want more tips to maximize your email performance? Check out our eBook, “Secrets of Best-in-Class Email Senders.” 

Products

BriteVerify

BriteVerify email verification ensures that an email address actually exists in real-time

DemandTools

The #1 global data quality tool used by thousands of Salesforce admins

Everest

Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality

Solutions

Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time