In this fast-paced digital world, there is an increasing need to make email communications reliable and secure. One way to verify the authenticity of email is through SPF records (SPF record). SPF stands for "Sender Policy Framework", and it is a complex system that email providers use to determine whether an email they receive really comes from the specified source.
In this guide we will explain what SPF records are, why they are so important and how to use them. We will also take a look at how you can create your own SPF records and implement them on your own email server.
Table of contents
What are SPF records / SPF entry?
SPF records are a type of DNS record that email providers use to determine whether an email they receive really comes from the specified source. In simpler words, this means that SPF records are used to prevent spammers and phishers from accessing your email account and sending emails to your name.
SPF records consist of a list of IP addresses and domains that your email provider considers trustworthy. When an email provider receives an email that originates from an IP address or domain that is not on the SPF list, that email is classified as spam or a phishing attempt.
Why are SPF records important?
SPF records are important to make email communication safe and reliable. If spammers and phishers access your email account and send emails to your name, this can cause your emails to be marked as spam and thus not delivered to recipients. This is a problem that many email users experience nowadays, and it can have serious consequences.
Furthermore, a missing SPF record can lead to your e-mails being marked as inauthentic and your e-mail server thus being classified as untrustworthy. This can result in your emails ending up in recipients' spam folders or not being delivered at all.
Google Gmail rejects mails without or with invalid SPF record
Since about March 2023, Google Gmail email servers reject all incoming mails that do not have a valid SPF record or DKIM entry. Corresponding error messages can then look like the following and are returned as an email to the sender:
Host ASPMX.L.GOOGLE.com[XXX.XXX.XXX] said:
550-5.7.26 This mail is unauthenticated, which poses a security risk to the
550-5.7.26 sender and Gmail users, and has been blocked. The sender must
550-5.7.26 authenticate with at least one of SPF or DKIM. For this message,
550-5.7.26 DKIM checks did not pass and SPF check for [domain.com]
550-5.7.26 did not pass with ip: [XXX.XXX.XXX.XXX]. The sender should visit
550-5.7.26 https://support.google.com/mail/answer/81126#authentication for
550 5.7.26 instructions on setting up authentication.
On the specially set up Help page from Google there is also more information about the requirements for the SPF record. There it then also says concretely:
Google randomly checks messages sent to private Gmail accounts to confirm their authentication. So that messages to private Gmail accounts are delivered as expected, you should set up either SPF or DKIM for your domain. News without At least one of these authentication methods are used with the Error 5.7.26 Rejected or marked as spam. This requirement does not apply to existing senders. However, we recommend that you always set up SPF and DKIM to protect your organization's email and meet future authentication requirements. If you need help setting up email authentication for your organization, contact your email provider.
How are SPF records used?
SPF records are used to convince email providers that emails they receive really come from the specified source. The use of SPF records is a two-step process.
First, SPF records are stored in the DNS record of the e-mail server. This record contains a list of IP addresses and domains that your email provider considers trustworthy. When an email provider receives an email, it checks the sender's SPF record to see if the IP address or domain is included on the list. If it is included, the email is deemed authentic and forwarded to the recipient.
The second step required when using SPF records is to create an SPF policy. This is a specific policy that your email provider must create to determine how to handle email that originates from an IP address or domain that is not on the SPF list.
How to create and implement your own SPF records?
If you have your own email server, you can create your own SPF records and implement them on your email server. The first step in creating your own SPF records is to create a list of IP addresses and domains that your email server considers trustworthy. Once you have created this list, you can add it to your DNS record. The next step is to create an SPF policy that specifies how to handle email that comes from an IP address or domain that is not on the SPF list.
Following this, you need to check your SPF record to see if it is working correctly. To do this, you can use a tool like SPF Checker use. This tool checks your SPF record and gives a detailed output that will help you determine whether your SPF record is correct or not. Once checked, you can be sure that your emails are sent only from trusted sources.
The SPF record
|v||Version of the record; v=SPF1 indicates the currently valid version.|
|ip4||IP address; "IP4" is the name for the well-known form of IP address. In addition, there are the new IP6 addresses, which are, however, even less common.|
|mx||Refers to the MX record which is stored for the domain and thus authenticates the mail server in the SPF record.|
|a||A points to the A record, i.e. the IP address of the web server, so that the web server can also send mails|
|-all||All other stations not listed here are not authorized and should be rejected.|
|~all||All other senders not listed here will be marked as spam, but not rejected.|
|include||Specifies other domains whose SPF record should also be retrieved.|
An exemplary SPF record using our domain as an example:
v=spf1 mx a include:amazonses.com ~all
In this example, via mx the mail server / MX record is released, via a the web server and via include:amazonses.com, Amazon AWS SES mail servers are authenticated as senders.
The ~all at the end indicates that sources other than those mentioned should be marked as spam.
SPF records are an important tool for making email communications secure and reliable. They help email providers verify the authenticity of emails by using a list of IP addresses and domains that are considered trustworthy. If you have your own email server, you can create your own SPF records and implement them on your server. By following these steps, you can be sure that your emails will be sent only from trusted sources.
If you need help configuring and setting up your SPF record correctly, please feel free to contact us, we help quickly and without complications.