SPF records for a domain can specify all the IP addresses allowed to send emails on behalf of your company. They work to prevent spoofing and phishing attacks by instructing recipients’ mailboxes to mark unauthorized emails as spam or reject their entries. Before understanding how SPF records work, let’s see what they look like.
Here’s an SPF record example-
v=spf1 ip6=2345:0db8:85a3:0000:0000:8a2e:0370:5673 ip6=2345:0db8:85a3:0000:0000:8a2e:0370:5634 include:newsender.email -allHow SPF Records Work and How Do Mail Servers Check Them?
So, how an SPF record works? SPF record is a TXT record that enlists all the trusted and authorized servers permitted to send emails.
A mail server follows this simple process for SPF record checks-
- Server-1 sends a message with the IP address and return path 194.0.2.0 and xyz@abc.com. Please note that the From address and return path aren’t the same things.
- Server-2 looks for an SPF record for that return-path domain.
- When server-2 locates an SPF record for the return path’s domain, it searches the SPF record for Server-1’s IP address in it. The authentication check passes if the IP address is found and the email is delivered to the desired recipient’s primary inbox. The authentication check fails if the IP address isn’t found and the message either lands in the spam folder or is rejected outrightly.
Benefits of SPF Records
Now that you know how SPF records work, let’s move on to knowing why domain owners or administrators use them. Also, the primary reasons for using SPF records and DKIM records are more or less the same.
Prevents Phishing and Spoofing Attacks
There was a massive spike of 61% in the rate of phishing attacks registered in 2022 as compared to 2021. In addition, billions of emails and mobile channels were detected by a messaging security provider with the integration of malicious URLs, attachments, and natural language messages.
SPF records prevent phishing and spoofing attacks attempted in your company’s name by allowing only authorized senders to send emails using your domain.
At this point, it’s important to answer one of the most common questions- how many spf records per domain? Well, only one SPF entry should be made per domain.
Improved Email Deliverability Rate
Unfortunately, as of April 2022, 15.8% of marketing-based emails land in the spam folder, compromising the campaign efforts. One of the common reasons for poor email deliverability is not having an SPF record. This makes it vital to know how SPF records work and how to check SPF records for proper configuration.
DMARC Compliance
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It instructs the recipients’ servers on how to deal with emails failing SPF and/or DKIM checks. You can choose one of the policies; none, quarantine, or reject.
Steps to Generate an SPF Record for Your Domain
We’ve discussed SPF basic and advanced syntaxes in our “SPF record explained” blog. We suggest reading that before following these 4 steps to create your SPF record.
STEP 1: Collect all the Authorized and Recognized IP Addresses
Enlist all the IP addresses you permit sending emails from using your domain. Don’t forget to include the IP servers of any third parties who need to send emails on your behalf. For example, outsourced PR or marketing agencies.
STEP 2: Generate an SPF Record
If you’ve gone through the ‘SPF record explained’ blog, you can easily create a record for your domain. On top of it, using an online SPF record-generating tool makes it even easier. You can configure an SPF record for your domain by publishing it.
Also, do you know how long can an SPF record be? Well, a single string within your SPF record shouldn’t exceed the maximum limit of 255 characters; otherwise, you will see this error prompt- “SPF Exceeds Maximum Character Limit.”
STEP 3: Publish Your SPF Record Into Your DNS
A DNS manager publishes SPF records into your DNS. This could be a person in your company, or you can request your DNS provider to do it.
STEP 4: Test Your SPF Record
SPF record checks ensure a non-erroneous and properly configured record for your domain.
SPF Record Limitations
The following SPF record limitations don’t allow it to promise 100% protection against phishing and spoofing attacks attempted in your business’ name.
- The 10 DNS SPF Lookup Limit
There’s a limit of 10 DNS lookups to ensure validators don’t get overloaded. If you exceed the limit, the forthcoming emails reject SPF validation with a Permerror error.
Solution
Regular SPF record checks and eliminating unused services, the ptr mechanism, and the mx mechanism help you stay within the limit.
If it’s still challenging for you to stay within the limit, especially if you’re a large enterprise where lookups add quickly, you can try AutoSPF’s automatic SPF flattening service. This reduces the number of DNS queries required to verify the SPF record and also reduces the likelihood of DNS query timeouts or temporary DNS server issues.
- The Human-Readable From Address
Another SPF record limitation is that an SPF record applies to a specific Return-Path domain and not the From address. People receiving emails don’t notice the Return-Path address and focus on the From address. This allows threat actors to forge the From address for cyberattacks.
Solution
Implementing DMARC helps to overcome this SPF record limitation by requiring a match or alignment between the human-readable From address and the server authenticated by SPF.
Summary
The second server notices the return path address and looks for its corresponding SPF record. Then the recipient’s mail server checks if the IP address from which the email is sent is enlisted in the record or not.
Once you generate your SPF record, your DNS manager or DNS provider can update it on DNS. However, there’s a limit of 10 SPF record lookups which you can overcome by removing ptr or mx mechanisms or using our SPF flattening service. Reach out to us for more information on SPF flattening service.
