{"id":207489,"date":"2022-10-14T15:04:00","date_gmt":"2022-10-14T13:04:00","guid":{"rendered":"https:\/\/spotler.com\/blog\/what-is-spf"},"modified":"2026-01-28T15:52:10","modified_gmt":"2026-01-28T14:52:10","slug":"what-is-spf","status":"publish","type":"blog","link":"https:\/\/spotler.com\/en-au\/blog\/what-is-spf","title":{"rendered":"What is Sender Policy Framework (SPF)?"},"content":{"rendered":"<p id=\"pagina-intro\"><strong>We&#8217;ve all had our fair share of emails that made us reconsider whether we&#8217;re going crazy or the company sending this email had something wrong with breakfast. Emails that shouldn&#8217;t hit your inbox in the first place, emails that are clearly spam &#8211; maybe even a legitimately looking call-to-action with a phishing link. Don&#8217;t start questioning your sanity; this company&#8217;s domain might have been spoofed due to the lack of good domain protection.<\/strong><\/p>\n<p>A significant problem with email is that domain names (@yourbusiness.com) can easily be spoofed. Sending emails on someone else&#8217;s behalf isn&#8217;t rocket science. Since email is a fairly old system (it&#8217;s been around since the &#8217;70s!), many&nbsp;protective measures&nbsp;have been developed over the years. One of these measures is SPF: The Sender Policy Framework.<\/p>\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<h2 class=\"wp-block-heading\" id=\"h-het-sender-policy-framework-spf\">The&nbsp;Sender Policy Framework&nbsp;(SPF)<\/h2>\n<p>An SPF record is a piece of text in the DNS settings of your domain (<em>yourbusiness.com<\/em>) that protects it from being spoofed (misused by others). Many spam filters and mail servers use an algorithm to mark emails as wanted or unwanted, often based on this record. The&nbsp;Sender&nbsp;Policy Framework tells the receiving mail server (like Gmail) that the domain is used by someone who can do so.<\/p>\n<h3 class=\"wp-block-heading has-blue-color has-text-color\" id=\"h-e-mail-zonder-spf\">Email without SPF<\/h3>\n<p>Email communications happen between two mail servers: yours and the one your recipient uses &#8211; the SMTP protocol. Your server hands over the information you want to send to your recipients. However, the problem is that a sender can use any name or address. We could easily fake the sender and say we&#8217;re Google, Amazon, or any other big brand, a.k.a.&nbsp;<strong>spoofing<\/strong>.<\/p>\n<h3 class=\"wp-block-heading has-blue-color has-text-color\" id=\"h-e-mail-met-spf\">Email with SPF<\/h3>\n<p>With the Sender Policy Framework (SPF) in place, the receiving server can check whether the email you send actually comes from you. The SPF record holds a list of IP addresses allowed to be sent on your behalf. If the sender sends the email from an IP address that isn&#8217;t on that list, it will not pass the SPF check. Later on, we&#8217;ll explain how that works.<\/p>\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<h2 class=\"wp-block-heading\" id=\"h-het-sender-policy-framework-spf\">Explained by an expert<\/h2>\n<p>Email expert Lars Sandbergen from DMARC Advisor tells us in under 4 minutes what SPF is, why it is needed and what it does.<\/p>\n<figure class=\"wp-block-embed aligncenter is-type-video is-provider-vimeo wp-block-embed-vimeo wp-embed-aspect-16-9 wp-has-aspect-ratio\">\n<div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"SPF (Lars Sandbergen)\" src=\"https:\/\/player.vimeo.com\/video\/899788466?dnt=1&amp;app_id=122963\" width=\"500\" height=\"281\" frameborder=\"0\" allow=\"autoplay; fullscreen; picture-in-picture; clipboard-write\"><\/iframe>\n<\/div><figcaption class=\"wp-element-caption\"><em>This video contains the name &#8216;Flowmailer&#8217;, this was the previous name for Spotler.<\/em><\/figcaption><\/figure>\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<h2 class=\"wp-block-heading\" id=\"h-de-nbsp-technische-werking-nbsp-van-het-sender-policy-framework\">The Sender Policy Framework&nbsp;RFC<\/h2>\n<p>How SPF records work is found in&nbsp;<a href=\"https:\/\/tools.ietf.org\/html\/rfc7208\" target=\"_blank\" rel=\"noreferrer noopener\">RFC7208<\/a>. This documentation describes how SPF works in communication between two mail servers:&nbsp;<strong>Publishing<\/strong>&nbsp;on one side and&nbsp;<strong>authorizing<\/strong>&nbsp;on the other. The communication happens mainly during the so-called&nbsp;SMTP&nbsp;transaction, where one mail server (MTA) offers an email to another mail server. During authorization, the receiving mail server checks evaluates, and provides feedback about the sender.<\/p>\n<h3 class=\"wp-block-heading has-blue-color has-text-color\" id=\"h-publiceren-van-autorisatie\">Publishing an SPF record<\/h3>\n<p>The sending domain publishes the SPF record, including&nbsp;authorized IP addresses. These addresses are allowed to send emails on behalf of the respective domain. During the email transaction, the names &#8220;HELO&#8221; and &#8220;MAIL FROM&#8221; are used. This &#8216;greeting&#8217; allows the sending mail server to be known to the receiving mail server.<\/p>\n<h3 class=\"wp-block-heading has-blue-color has-text-color\" id=\"h-controleren-van-spf-autorisatie\">Authorizing the SPF record<\/h3>\n<p>According to the RFC, the receiving mail server&nbsp;<strong>should<\/strong>&nbsp;(not every receiver does) check for the availability of an SPF record. The two identities (HELO &amp; MAIL FROM) are examined during this check. It then determines whether the sending address can send this email on behalf of those identities. Most receiving mail servers check the identities in chronological order. &#8220;HELO&#8221; (<em>smtp.yourcompany.com<\/em>) is a somewhat &#8220;easier&#8221; identity to verify. If that identity is confirmed and passes authorization, the &#8220;MAIL FROM&#8221; (<em>info@jouwbedrijf.nl<\/em>) doesn&#8217;t need to be checked. However, if the HELO cannot be verified, the receiving mail server&nbsp;<strong>must<\/strong>&nbsp;verify the more complex MAIL FROM.<\/p>\n<h3 class=\"wp-block-heading has-blue-color has-text-color\" id=\"h-evalueren-door-de-ontvanger\">Evaluating the SPF record<\/h3>\n<p>The receiving mail server also determines its following action by evaluating the SPF record. There are seven possible outcomes of this evaluation:<\/p>\n<ol class=\"wp-block-list\">\n<li><strong>None<\/strong>: no SPF record or no valid DNS domain was found during the SMTP transaction;<\/li>\n<li><strong>Neutral<\/strong>: no check could be done on whether the sending IP address is authorized;<\/li>\n<li><strong>Pass<\/strong>: indicates that the sender is authorized;<\/li>\n<li><strong>Fail<\/strong>: suggests that the sender is not allowed;<\/li>\n<li><b>Soft fail<\/b>: a mitigated fail because no firm policy could be found in the SPF record;<\/li>\n<li><strong>Temperror<\/strong>: A temporary connection error to DNS could be fixed in the second attempt.<\/li>\n<li><strong>Permerror<\/strong>: The domain could not be interpreted correctly. Requires the DNS administrator of the&nbsp;<strong>sender&nbsp;<\/strong>to correct the problem.<\/li>\n<\/ol>\n<p>The evaluation described above is the default evaluation. However, each recipient&#8217;s response to a failed SPF check may vary. Some receiving mail servers require having a solid SPF record, whereas others value it way less.<\/p>\n<h3 class=\"wp-block-heading has-blue-color has-text-color\" id=\"h-terugkoppeling-aan-verzender\">Feedback<\/h3>\n<p>When the SPF record has been checked and evaluated by the receiving mail server, an email passes or gets blocked. If it passes, the mail servers will communicate it&#8217;s&nbsp;<em>&#8220;delivered.&#8221;<\/em>&nbsp;However, when the SPF check fails, the receiving mail server has two options:<\/p>\n<ol class=\"wp-block-list\">\n<li>Give a (temporary)<strong>&nbsp;error<\/strong>&nbsp;so that the sending mail server knows the message doesn&#8217;t need to be sent again (rejection) or whether there is a problem of a temporary nature (&#8220;try again later&#8221;);<\/li>\n<li>Let the message&nbsp;<strong>pass<\/strong>&nbsp;and therefore give &#8220;delivered&#8221; feedback &#8211; but add a header indicating that it is a suspicious message &#8211; a.k.a. the&nbsp;<em>spam flag<\/em>.<\/li>\n<\/ol>\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<h2 class=\"wp-block-heading\" id=\"h-de-opbouw-nbsp-van-een-spf-record\">The structure of an SPF record<\/h2>\n<p>An SPF record always consists of three types of content: the&nbsp;<strong>version<\/strong>, the&nbsp;<strong>mechanisms<\/strong>&nbsp;and the&nbsp;<strong>qualifier<\/strong>. The &#8216;version&#8217; is always the same (since there&#8217;s only one version available) and is always the first thing to mention in the record. If it is not, the&nbsp;receiving mail server&nbsp;will not recognize the TXT record as an SPF record and will fail the check. The version is always &#8220;v=spf1&#8221;. Therefore, the SPF&nbsp;record in your DNS starts with:<strong>&nbsp;<\/strong><\/p>\n<pre class=\"wp-block-code\"><code><strong>TXT<\/strong>&nbsp;|<em>v=spf1<\/em><\/code><\/pre>\n<p>You can only have one SPF record, as the&nbsp;<a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc7208#section-3.2\" target=\"_blank\" rel=\"noreferrer noopener\">RFC&nbsp;mentions<\/a>:<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>A domain name MUST NOT have multiple records that would cause an authorization check to select more than one record.<\/p>\n<\/blockquote>\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<h3 class=\"wp-block-heading has-blue-color has-text-color\" id=\"h-mechanismen\">Mechanisms in an SPF&nbsp;record<\/h3>\n<p>To allow domains &amp; IP&nbsp;addresses to send emails on your behalf, you need to use so-called mechanisms. These define the way you add trusted senders to the list, and how you want to deal with IP addresses that are not on that list. There are two types of mechanisms; basic mechanisms and designated sender mechanisms.<\/p>\n<h4 class=\"wp-block-heading\">Basic mechanisms<\/h4>\n<p>Basic mechanisms are a part of the SPF&nbsp;record, but are not used to authorize IP addresses:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>all:&nbsp;<\/strong>this mechanism closes off the SPF&nbsp;record. It defines what to do with IP addresses that are not mentioned in the SPF&nbsp;record (read more about Qualifiers below). Always put this mechanism at the end of the SPF&nbsp;record!<\/li>\n<li>\u200d<strong>include:&nbsp;<\/strong>this mechanism refers to another domain (with an SPF&nbsp;record), but is not &#8216;part of&#8217; the original SPF record. Though the name &#8216;include&#8217; suggests otherwise, the SPF record check will for the validity of the included domain separately.<\/li>\n<\/ul>\n<h4 class=\"wp-block-heading\">Designated sender mechanisms<\/h4>\n<p>Designated sender mechanisms are used to identify and authorize a set of IP addresses to send emails on your domain&#8217;s behalf:<\/p>\n<ul class=\"wp-block-list\">\n<li>\u200d<strong>a<\/strong>&nbsp;(records)<\/li>\n<li>\u200d<strong>mx<\/strong>&nbsp;(records)<\/li>\n<li>\u200d<strong>ip4<\/strong>&nbsp;(addresses)<\/li>\n<li>\u200d<strong>ip6<\/strong>&nbsp;(addresses)<\/li>\n<li>ptr (out of use)<\/li>\n<\/ul>\n<h5 class=\"wp-block-heading\" id=\"h-a-en-mx-records\">A and MX records<\/h5>\n<p>The records (a and mx) refer to the respective records of the subsequently specified domains. These records contain IP addresses that the receiving mail server will look up and check. This applies to both the specified domain (yourcompany.com) as well as its subdomains (mail.yourcompany.com):&nbsp;<\/p>\n<pre class=\"wp-block-code\"><code><strong>TXT<\/strong>&nbsp;|<em>v=spf1 a mx <em>yourcompany.com<\/em><\/em><\/code><\/pre>\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<h5 class=\"wp-block-heading\" id=\"h-ip-adressen-ipv4-ipv6\">IP-addresses (IPv4 \/ IPv6)<\/h5>\n<p>You can also specify IP addresses and ranges for both IPv4 and IPv6 addresses in an SPF record. With this you grant permission to these addresses to sends emails on your behalf. This methods also saves on the number of lookups (max. 10); the IP addresses that may email on behalf of the domain are already in the record itself.<\/p>\n<p>For<strong>&nbsp;IPv4<\/strong>-addresses, e.g.:<\/p>\n<pre class=\"wp-block-code\"><code>TXT | v=spf1 ip4:30.83.248.91<\/code><\/pre>\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<p>For&nbsp;<strong>IPv4<\/strong>-ranges, e.g.:<\/p>\n<pre class=\"wp-block-code\"><code>TXT | v=spf1 ip4:30.93.0.1\/14<\/code><\/pre>\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<p>For&nbsp;<strong>IPv6<\/strong>-addresses, e.g.:<\/p>\n<pre class=\"wp-block-code\"><code><strong>TXT<\/strong>&nbsp;|&nbsp;v=spf1 ip6:2a01:7c8:3:1337::27<\/code><\/pre>\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<p>For&nbsp;<strong>IPv6<\/strong>-ranges, e.g.:<\/p>\n<pre class=\"wp-block-code\"><code>TXT | v=spf1 ip6:2a01:7c8:3:1337::27\/96<\/code><\/pre>\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<h4 class=\"wp-block-heading\" id=\"h-include\">Include<\/h4>\n<p>The fifth option is to refer to a domain where your SPF record is specified. This is what we did for one of our domains<a href=\"https:\/\/flowmailer.com\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a>. The SPF record for flowmailer.com refers to: spf.flowmailer.net.<\/p>\n<pre class=\"wp-block-code\"><code><strong>flowmailer.com TXT<\/strong>&nbsp;|&nbsp;v=spf1 include:spf.flowmailer.net ~all<\/code><\/pre>\n<p>referring to:<\/p>\n<pre class=\"wp-block-code\"><code><strong>spf.flowmailer.net TXT<\/strong>&nbsp;|&nbsp;v=spf1 ip4:185.136.64.128\/27 ip4:185.136.65.128\/27 ~all<\/code><\/pre>\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<h3 class=\"wp-block-heading has-blue-color has-text-color\" id=\"h-combineren-van-mechanismen\">Combining mechanisms<\/h3>\n<p>It&#8217;s possible to combine different mechanisms and include a multitude of IP addresses, pointers and records. The number of lookups is subject to a&nbsp;<strong>maximum of ten<\/strong>. A lookup is defined as when another DNS has to be &#8216;looked up&#8217; to check the SPF record. These are pointers to other domains (includes) and records (a and mx). <\/p>\n<p>A combined (functioning) record could look like this, for example:<\/p>\n<pre class=\"wp-block-code\"><code><strong>TXT&nbsp;<\/strong>|&nbsp;v=spf1 a mx yourcompany.com ip4: 30.93.0.1\/14 ip6:2a01:7c8:3:1337::27 include:spf.flowmailer.net ~all<\/code><\/pre>\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<h3 class=\"wp-block-heading has-blue-color has-text-color\" id=\"h-kwalificaties\">Qualifiers<\/h3>\n<p>To indicate what action the receiving mail server should take, before the all mechanism, specify a character:<br \/><strong>~<\/strong>,&nbsp;<strong>&#8211;<\/strong>,&nbsp;<strong>+<\/strong>&nbsp;or&nbsp;<strong>?<\/strong>:<\/p>\n<p><strong><em>~all<\/em><\/strong>, , also called softfail (<em>recommended!<\/em>). If the sending IP address does not match the IP addresses in the SPF record, the email is accepted but marked as spam.<\/p>\n<p><strong><em>-all<\/em><\/strong>, or hardfail. &nbsp;All messages sent with an unauthorized IP address will be rejected by the receiving mail server. This is not recommended, as you may encounter problems with email forwarding.<\/p>\n<p><strong><em>+all<\/em><\/strong>, which simply accepts all emails. With this, the rest of your SPF record is useless.<\/p>\n<p><strong><em>?all<\/em><\/strong>, here no extra validation is performed, so it has the same effect as +all: all emails from unauthorized servers are allowed. Again, the rest of an SPF record is therefore useless.<\/p>\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<h2 class=\"wp-block-heading\" id=\"h-je-nbsp-spf-record-toevoegen-nbsp-aan-je-dns\">Adding your SPF record to your DNS<\/h2>\n<p>To get your new SPF record to work, you will have to add the record in your Domain Name System (DNS) settings. You do this (in most cases) as follows:<\/p>\n<ol class=\"wp-block-list\">\n<li>Look for the DNS settings of your domain &#8211; for providers usually under &#8216;Product Settings&#8217;;<\/li>\n<li>If your domain does not yet have an SPF record, choose &#8216;add a record&#8217;;<\/li>\n<li>Select TXT as the record type;<\/li>\n<li>Select host \/ target and define it as @ or leave it empty;<\/li>\n<li>Enter your new SPF record in the text area and check that it starts with &#8220;v=spf1&#8221;;<\/li>\n<li>Save your record and you&#8217;re done! Now your new SPF record will go live as soon as possible (depending on TTL)<\/li>\n<\/ol>\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<h2 class=\"wp-block-heading\">Summarized<\/h2>\n<p>Simply put, an SPF&nbsp;record is a collection of IP&nbsp;addresses that are allowed to send emails on your domain&#8217;s behalf. These IP&nbsp;addresses are often linked to the email sending software you use &#8211; e.g. your CRM, email marketing tool, ERP. With this record, you also tell the receiving mail server their next move when the IP address that is trying to email on your behalf fails the check. When set up correctly, SPF&nbsp;is the first &#8220;OG 3&#8221; email authentication method to protect your domain from abuse and increase your reputation with inbox providers.<\/p>\n<p>An SPF record always consists of the&nbsp;<strong>version<\/strong>, one or more&nbsp;<strong>mechanisms<\/strong>&nbsp;and a&nbsp;<strong>qualifier<\/strong>. Building an SPF record, the version comes first (<strong>v=spf1<\/strong>), the mechanisms to include IP addresses are in the middle, and you close the SPF&nbsp;record with a qualifier (<strong>~<\/strong>,&nbsp;<strong>&#8211;<\/strong>,&nbsp;<strong>+<\/strong>&nbsp;or&nbsp;<strong>?<\/strong>) +&nbsp;<strong>all<\/strong>.<strong>\u200d<\/strong><\/p>\n<p>Though mechanisms are limited in use&nbsp;(max. lookup of 10 &amp; shouldn&#8217;t exceed a certain length), these define what IP&nbsp;addresses are allowed to send emails on your behalf. Make sure to keep that list complete and updated regularly!<\/p>\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<h2 class=\"wp-block-heading\">Need help with your SPF record?<\/h2>\n<p>Need help setting up your SPF record or is your SPF record not working properly? Spotler&#8217;s experts have years of experience in securely delivering emails and are happy to help! <a href=\"https:\/\/spotler.com\/en-au\/contact\">Feel free to contact us<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What is SPF (Sender Policy Framework), why is it needed and what does it do? Learn more about this email authentication standard.<\/p>\n","protected":false},"author":46,"featured_media":207490,"template":"","cat_industry":[],"cat_topic":[2671],"class_list":["post-207489","blog","type-blog","status-publish","has-post-thumbnail","hentry","cat_topic-deliverability-en-int"],"acf":[],"_links":{"self":[{"href":"https:\/\/spotler.com\/en-au\/wp-json\/wp\/v2\/blog\/207489","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/spotler.com\/en-au\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/spotler.com\/en-au\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/spotler.com\/en-au\/wp-json\/wp\/v2\/users\/46"}],"version-history":[{"count":2,"href":"https:\/\/spotler.com\/en-au\/wp-json\/wp\/v2\/blog\/207489\/revisions"}],"predecessor-version":[{"id":229914,"href":"https:\/\/spotler.com\/en-au\/wp-json\/wp\/v2\/blog\/207489\/revisions\/229914"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/spotler.com\/en-au\/wp-json\/wp\/v2\/media\/207490"}],"wp:attachment":[{"href":"https:\/\/spotler.com\/en-au\/wp-json\/wp\/v2\/media?parent=207489"}],"wp:term":[{"taxonomy":"cat_industry","embeddable":true,"href":"https:\/\/spotler.com\/en-au\/wp-json\/wp\/v2\/cat_industry?post=207489"},{"taxonomy":"cat_topic","embeddable":true,"href":"https:\/\/spotler.com\/en-au\/wp-json\/wp\/v2\/cat_topic?post=207489"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}