Protecting Your Brand From Phishing: How to Create your SPF Record

Certainly SPF and DKIM should be your first ports of call when it comes to implementing DMARC and email authentication. You can read what DMARC is and why it's important here.

SPF records are examimed when email receivers check to see if the server that sent the email was authorised to do so by the senders domain. It’s a great way for ISP’s to detect forged email.

As an example, if you receive an email from ‘[email protected]’ from a server with IP address ‘’, the SPF check asks the ‘’ domain if IP ‘’ should be allowed to send email on it’s behalf.

So how do you get your email authenticated using SPF?

  1. Determine the domains that your email campaigns are sent from
    Here you are only concerned with the domain part of the email address, anything after the @ sign. So, if you use [email protected] and [email protected] for your emails, then you need to apply SPF records to
  2. Gather the IP addresses that are used to send the emails
    If you use an Email Service Provider, ask them for your sending IP addresses. If you have an in-house system, speak to your system administrator.

    If you use the same domain for your email campaigns that you do for your commercial email. Make sure you check with your IT department and get the IP addresses used for your commercial email too.

  3. Create your SPF record
    Microsoft have provided a great wizard for generating SPF records. It can be found here: and provides you with a thorough explanation of the terms you’ll need to know.
  4. Publish your SPF to DNS
    In order that receiving servers can check your SPF record it must be publicly visible. This means publishing it to the DNS server for your domain. If you’re using a hosting provider such as 123-reg or GoDaddy then this process is fairly simple, if your DNS records are administered by your ISP or if you’re not sure, then contact your IT department for support.

    You’ll need to copy the SPF record from the wizard and apply it to your DNS as a TXT record.

That’s about it! Your SPF record should now be visible to any organisation you send email to. Don’t forget to check the validity of your record using a tool such as Any problems will also be highlighted if you’re a Return Path customer using Inbox Monitor, you’ll see it listed under in the Problems column next to each campaign:

Up next in our series on protecting your brand from phishing, we'll discuss how to set up DKIM.


minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time