How to Configure SPF?

How to Configure SPF?

Sender Policy Framework (SPF) is an email authentication technique used for mitigating cyber threats by helping the user detect email forging and spoofing. Recipient email servers evaluate SPF using the domain specified in the MAIL FROM address (commonly referred to as the Return-Path). A Return-Path is the email address used by recipient email servers to notify the sender of any delivery problems. If an email fails to deliver, bounce messages are sent to the Return-Path address. 

The SPF record retrieved by the recipient email server will include a list of approved IP addresses that are permitted to send an email for the sender’s domain. The email server will compare the IP address of the received email to the retrieved list. If it matches, the email passes SPF authentication. If not, the email may very well be fraudulent. 

Important Notes Before You Start

  • A domain can have only one SPF record

  • Publishing multiple SPF records will cause SPF validation to fail

  • If an SPF record already exists, it must be updated, not recreated

How to Create a New SPF Record:

Use this method only if no SPF record exists for your domain.

Steps:

  1. Log in to your DNS provider

  2. Create a new TXT record

  3. Enter the following values:

  • Host / Name: @ (or your domain name)

  • Record Type: TXT

  • Value (example): v=spf1 include:_spf.google.com -all

     4. Save the record and allow DNS propagation

How to Update an Existing SPF Record:

Use this method if an SPF record is already present.

Steps:

  1. Locate the existing TXT record starting with: v=spf1

  2. Modify/Edit the same record by adding required sending sources.

    3. Example (Update Existing Record):

    Before: 

    v=spf1 include:_spf.google.com -all

    After:
    v=spf1 include:_spf.google.com include:mail.example.com -all

    Common SPF Mechanisms:

    MechanismPurpose
    ip4: / ip6:Authorize specific IP addresses
    include:Authorize third-party email services
    aAuthorize A-record IPs
    mxAuthorize MX servers

         Choose the Right SPF Policy:

PolicyDescription
-allHard Fail (recommended for production)
~allSoft fail (testing phase)
?allNeutral
           +allAllow all (not recommended)

How to Achieve SPF Alignment?

Setting a custom Return-Path has many advantages. If a DMARC policy has been implemented for your domain, it is strongly recommended to set up a custom Return-Path for achieving SPF alignment. DMARC evaluates whether the domain in the Return-Path aligns with the domain in the ‘From’ address. If it doesn’t, that email will fail SPF alignment authentication.

For instance, if your organization sends emails from example.com, you can still pass DKIM and SPF authentication; however, if the “From” and Return-Path addresses don’t use the same domain, SPF won’t pass for DMARC verification. When the Return-Path domain tdmarc.example.com is set up and emails are sent from example.com, your domains are aligned for DMARC to operate. This configuration sets the MAIL FROM (Return-Path) domain to tdmarc.example.com

 

Relaxed SPF Alignment (aspf=r)

From Domain

Return Path

DMARC Evaluation

example.com

example.com

Pass

example.com

abc.example.com

Pass

example.com

example.tdmarc.com

Fail

 

Strict SPF Alignment (aspf=s)

From Domain

Return Path

DMARC Evaluation

example.com

example.com

Pass

example.com

abc.example.com

Fail



For setting up a bounce domain, you will need to establish a CNAME record with a DNS service provider of your choice. Once you get a CNAME record, the custom bounce domain can override the existing Return-Path value of example.com for all the messages sent from your domain. Also, it boosts the overall deliverability of your emails to inboxes.


    • Related Articles

    • How Smart SPF Works?

      TDMARC is an industry-leading cybersecurity tool, designed to monitor three standard email authentication protocols- SPF, DKIM and DMARC, for complementing the Simple Mail Transfer Protocol (SMTP). It offers the Smart SPF feature to monitor and ...

    • SPF Setup for Freshdesk

      SPF helps verify the origin of email messages so that unauthorized senders cannot send messages on behalf of your domain. Freshdesk supports SPF authentication, and it can be configured manually by following the simple steps discussed in this ...

    • How to Set Up SPF for ProtonMail?

      ProtonMail highly recommends that you configure SPF for all your registered domains to make sure your outbound emails are effectively authenticated.   How to Create an SPF Record for ProtonMail? In order to generate your SPF record on ProtonMail, log ...

    • How to Setup SPF for Zendesk?

      This article will guide you through the process of establishing SPF for Zendesk. Setting up SPF for Zendesk can help emails pass DMARC alignment when SPF passes and aligns with the From domain, as well as boost your domain's reputation with ISPs, ...

    • How to Setup SPF for Constant Contact?

      If you want to allow constant contact to send emails on behalf of your domain, you need to set up SPF and modify the records to include constant contact. Otherwise, your emails sent using the application will not be DMARC compliant and will fail ...