Skip to content
English
Support
Go back to aftra app
  • There are no suggestions because the search field is empty.

1. A Guide to SPF Implementation

 

 

As your Attack Surface Management (ASM) partner, Aftra is committed to helping you strengthen your organization's security posture. A foundational step in securing your email is creating a Sender Policy Framework (SPF) record.

This guide provides a clear, step-by-step plan for your team to implement SPF correctly, which is essential for preventing email spoofing and is a mandatory prerequisite for DMARC.

 

1. What is SPF and Why is it Essential?

 

SPF (Sender Policy Framework) is an email authentication standard that allows you to publicly list all the servers and services authorized to send email on behalf of your domain. It acts as a public guest list for your email.

When an email is received, the recipient's mail server checks your SPF record to verify that the sending server is on that list. If it isn't, the email is more likely to be marked as spam or rejected.

Proper SPF implementation helps you:

  • Prevent Domain Spoofing: Makes it much harder for attackers to impersonate your domain and send fraudulent emails to your employees and customers.

  • Improve Email Deliverability: A valid SPF record signals to receiving servers that your email is legitimate, improving your chances of landing in the inbox instead of the spam folder.

  • Build a Foundation for DMARC: You cannot achieve DMARC compliance without a functioning SPF record.

 

2. How SPF Works: The 3-Step Check

 

  1. You Publish a List: You create a special TXT record in your DNS settings that lists the IP addresses and domains of all services you use to send email (e.g., Google Workspace, Microsoft 365, Mailchimp, Salesforce).

  2. An Email is Sent: When you send an email, it originates from one of those services' IP addresses.

  3. The Receiver Verifies: The receiving email server looks at the sender's domain, finds its SPF record in the DNS, and checks if the sending IP address is on the authorized list.

 

3. The 3-Step Implementation Plan

 

Implementing SPF is a straightforward process of identifying your senders and creating a DNS record.

 

Step 1: Identify All Your Email Sending Sources

 

Before you can create a record, you must compile a complete list of every service that sends email for your domain. This is the most critical step. Common sources include:

  • Email Providers: Google Workspace, Microsoft 365

  • Marketing Platforms: Mailchimp, HubSpot, Constant Contact

  • Transactional Email Services: SendGrid, Amazon SES, Postmark

  • CRM & Sales Tools: Salesforce, Zendesk

  • Internal Applications: In-house servers or applications that send notifications.

 

Step 2: Construct Your SPF Record

 

An SPF record is a single line of plain text. It always starts with v=spf1 and ends with an all mechanism.

  • Start with the version: v=spf1

  • Add your mail servers: Use ip4: for individual IP addresses (e.g., ip4:192.168.1.1).

  • Include third-party services: Use the include: mechanism for services like Google, Salesforce, etc. (e.g., include:_spf.google.com). The service's documentation will provide the exact value to include.

  • End with an all tag: This tells the receiver what to do with emails from sources not on your list.

    • -all (Fail): Recommended. Emails from unlisted senders should be rejected.

    • ~all (SoftFail): Emails from unlisted senders are marked as suspicious but may still be accepted.

    • ?all (Neutral): The record specifies nothing. Not recommended.

A finished record for a company using Google Workspace and Mailchimp would look like this: v=spf1 include:_spf.google.com include:servers.mcsv.net -all

 

Step 3: Publish the Record to Your DNS

 

  1. Log in to your domain's DNS provider (e.g., GoDaddy, Cloudflare, AWS Route 53).

  2. Create a new TXT record.

  3. In the Host/Name field, enter @ (or leave it blank, depending on your provider's interface).

  4. In the Value/Content field, paste your complete SPF record string.

  5. Set the TTL (Time to Live) to 1 hour (3600 seconds) or your provider's default.

 

4. The Critical 10-DNS-Lookup Limit

 

An SPF record cannot generate more than 10 DNS lookups. An include statement counts as one lookup. If you use many third-party services, you can easily exceed this limit, which will cause your SPF record to fail validation.

What to do if you exceed the limit:

  • Audit your include statements and remove any services you no longer use.

  • Use a subdomain for specific services (e.g., a marketing subdomain like news.yourcompany.com) to split up your SPF records.

  • Consult with a security expert about advanced techniques like SPF flattening (though this requires careful management).

 

5. Recommended Tools

 

Use free online tools to ensure your record is correct before and after publishing:

  • SPF Record Checkers: MXToolbox, Dmarcian, and EasyDMARC have tools that validate your record, check for syntax errors, and count your DNS lookups.

  • SPF Generators: Many sites can help you build your record if you are unsure of the syntax.