Bajorat Media
SPF record - what is it? A guide for non-technical people
SPF record: Component for email authentication. How SPF records work and how they can help protect the integrity of your emails.
In this fast-paced digital world, the need to make email communications reliable and secure is increasing. One way to check the authenticity of emails is SPF records. SPF stands for “Sender Policy Framework”, and it is a complex system that email providers use to determine whether an email they receive actually came from the specified source. This guide explains what SPF records are, why they’re important, and how to use them. We’ll also take a look at how you can create your own SPF records and implement them on your own email server.
What are SPF records / SPF entry?
SPF records are a type of DNS record that email providers use to determine whether an email they receive actually came from the specified source. In simpler terms, this means that SPF records are used to prevent spammers and phishers from accessing your email account and sending emails to your name. 
Why are SPF records important?
SPF records are important for making email communications secure and reliable. If spammers and phishers access your email account and send emails to your name, this can result in your emails being marked as spam and therefore not being delivered to recipients. This is a problem that many email users are experiencing these days, and it can have serious consequences. Furthermore, a missing SPF record can result in your emails being marked as inauthentic and your email server being classified as untrustworthy. This can result in your emails ending up in recipients’ spam folders or not being delivered at all.
Google Gmail rejects emails without or with an invalid SPF record
Since approximately March 2023, Google Gmail email servers have been rejecting all incoming emails that do not have a valid SPF record or DKIM entry. Corresponding error messages can then look like this and are returned to the sender as an email:
Host ASPMX.L.GOOGLE.com[XXX.XXX.XXX.XXX] said: 550-5.7.26 This mail is unauthenticated, which poses a security risk to the 550-5.7.26 sender and Gmail users, and has been blocked. The sender must 550-5.7.26 authenticate with at least one of SPF or DKIM. For this message, 550-5.7.26 DKIM checks did not pass and SPF check for [domain.com] 550-5.7.26 did not pass with ip: [XXX.XXX.XXX.XXX]. The sender should visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for 550 5.7.26 instructions on setting up authentication.
On the specially set up Google help page there is also further information about the requirements for the SPF record. There it also says specifically:
Google randomly checks messages sent to personal Gmail accounts to confirm their authentication. To ensure that messages to personal Gmail accounts are delivered as expected, you should set up either SPF or DKIM for your domain. Messages without at least one of these authentication methods will be rejected with Error 5.7.26 or marked as spam. This requirement does not apply to existing senders. However, we recommend that you always set up SPF and DKIM to protect your organization’s email and meet future authentication requirements. If you need help setting up email authentication for your organization, contact your email provider.
How are SPF records used?
SPF records are used to convince email providers that emails they receive actually come from the specified source. Using SPF records takes place in two steps. 
How to create and implement your own SPF records?
If you have your own email server, you can create your own SPF records and deploy them to your email server. The first step in creating your own SPF records is to create a list of IP addresses and domains that your email server considers trustworthy. Once you have created this list, you can add it to your DNS record. The next step is to create an SPF policy that specifies how to handle email that comes from an IP address or domain that is not on the SPF list. You will then need to check your SPF record to see if it is working correctly. To do this you can use a tool like SPF checker use. This tool checks your SPF record and gives detailed output that helps you determine whether your SPF record is correct or not. Once verified, you can be sure that your emails are only sent from trusted sources.
The SPF record
code
Meaning
v
version of the record; v=SPF1 indicates the currently valid version.
ip4
IP address; “IP4” is the name for the well-known form of the IP address. There are also the new IP6 addresses, which are, however, even less common.
mx
Points to the MX entry that is stored for the domain and thus authenticates the mail server in the SPF entry
a
A refers to the A record, i.e. the IP address of the web server, so that the web server can also send emails
-all
All other channels not listed here are unauthorized and should be rejected.
~all
All other channels not listed here will be marked as spam but will not be rejected.
include
Specifies additional domains whose SPF record should also be retrieved.
An exemplary SPF record using our domain as an example:
v=spf1 mx a include:amazonses.com ~all
In this example, the mail server / MX entry is enabled via mx, the web server is enabled via a and the Amazon AWS SES mail servers are authenticated as senders via include:amazonses.com. The ~all at the end indicates that sources other than those mentioned should be marked as spam.
Conclusion
SPF records are an important tool for making email communications secure and reliable. They help email providers verify the authenticity of emails by using a list of IP addresses and domains that are considered trustworthy. If you have your own email server, you can create your own SPF records and implement them on your server. By following these steps, you can be sure that your emails are only sent from trusted sources. If you need help configuring and setting up your SPF record correctly, Please feel free to contact us, we help quickly and easily.
