SPF Records

SPF Records

Sender Policy Framework (SPF)

Sender Policy Framework (SPF) is a method used for email authentication that helps identify spoofed sender addresses upon email delivery. SPF enables the receiving email server to confirm that an email purportedly from a specific domain originates from an authorized IP address designated by the domain administrator. The SPF records for a domain list the servers permitted to send emails along with their corresponding IP addresses.

According to RFC 7208, published in April 2014, SPF is classified as a “proposed standard.”

Structure of SPF Records

An SPF record is defined using a TXT record, which is one of the DNS record types that can contain text data. An example of a TXT record that represents an SPF record is as follows:

vergecloud.site.                114   IN    TXT   "v=spf1 a mx ip4:94.101.186.147 -all"

The record begins with “v,” which stands for version, indicating the SPF version in use. Currently, only SPFv1 is available. The primary line outlines various mechanisms for matching. By default, without additional characters, all mechanisms are evaluated:

  • +: Indicates acceptance of the specified mechanism, meaning the address or host is permitted to send emails. This is the default behavior.
  • -: Indicates rejection of the specified mechanism, meaning the address is not allowed to send emails.
  • ~: Accepts the mechanism but marks the specified address as non-compliant.
  • ?: Indicates that the mechanism is neither accepted nor rejected, allowing for potential acceptance.

Mechanisms Available in SPF Records

The following mechanisms can be included in SPF record definitions:

  • ip4: Specifies the IPv4 addresses permitted to send emails. For IPv6, use ip6.
  • include: Allows the inclusion of external email servers that provide email services. For instance, include:_spf.google.com.
  • all: Matches every address and host. This is typically used at the end of a set of mechanisms to define how to handle IP addresses that do not match any of the specified mechanisms:
    • all+: Any server can send emails on behalf of your domain.
    • all-: No server is allowed to send emails except those specified in the record. If used alone, it prohibits all sending.
    • all~: Emails from unspecified servers are accepted but marked as non-compliant.
  • a: Refers to all addresses associated with the A record.
  • mx: Specifies all A records related to the MX records for each host.
  • ptr: Links to the A records corresponding to the PTR record for each host.
  • exists: Defines exceptions for one or more domains.

SPF Modifiers

Modifiers consist of name-value pairs separated by an equals sign and are typically placed at the end of the SPF record definition. Each modifier can only be used once:

  • redirect: Points to the SPF record of another domain. This is useful for applying the same SPF record across multiple domains. Caution is advised, as the redirect can only be used if you manage the domain being redirected to; otherwise, the include mechanism should be used. An example is: 
    v=spf1 redirect=_spf.yourdomain.com

Configuring SPF Records in the VergeCloud User Panel

To create a new SPF record in the VergeCloud panel, follow these steps:

  1. Select Your Domain: Log in to your VergeCloud account and navigate to the dashboard. Select the domain for which you want to configure the SPF record (e.g., vergecloud.site).
  2. Navigate to DNS Records: Within your domain’s settings, locate the DNS Management section provided by VergeCloud. This area allows you to view and edit DNS records associated with your domain.
  3. Create a New TXT Record: Add a new TXT record with the following details:
    • Name: Enter @ to apply the SPF record to the root domain.
    • Type: Select TXT from the record type options.
    • Value: Enter your SPF policy (e.g., "v=spf1 a mx ip4:192.168.1.1 -all").
    • TTL: Set the desired TTL value based on your use case (e.g., 300 seconds for frequent changes, 3600 seconds for stable configurations).
  4. Save the Record: After entering the details, save the TXT record within the VergeCloud User Panel. It may take some time for DNS changes to propagate globally.
  5. Verify the Record: Use DNS lookup tools or the VergeCloud dashboard to verify that the SPF record has been correctly added and is active. For example, you can use the dig command: 
    dig TXT vergecloud.site +short

Common Use Cases

Here are some common scenarios where configuring SPF records is essential:

  • Allowing Emails from Authorized IPs: If you want only your web server (e.g., with IP address 192.168.243.1) to send emails, enter @ in the name field and use the following in the value field: 
    "v=spf1 ip4:192.168.243.1 +a +mx -all"
  • Configuring for G Suite: Following Google's guidelines, the TXT record value should be set as: 
    "v=spf1 include:_spf.google.com ~all"
    If you use additional domains, you may define it in one of the following ways:
    "v=spf1 ip4:172.16.254.1 include:_spf.google.com ~all"
    Or:
    "v=spf1 include:serverdomain.com include:_spf.google.com ~all"
    For more details, refer to theG Suite documentation.

Registering Records via API

You can register SPF records through the VergeCloud API using the following command:

curl --location --request POST 'https://api.vergecloud.com/cdn/4.0/domains/vergecloud.site/dns-records' \
--header 'authority: api.vergecloud.com' \
--header 'accept: application/json, text/plain,*/*' \
--header 'authorization: API 1.2.3.4' \
--header 'content-type: application/json;charset=UTF-8' \
--header 'origin: https://panel.vergecloud.com' \
--data-raw '{
  "type": "TXT",
  "name": "@",
  "cloud": true,
  "value": {
    "text": "v=spf1 a mx ip4:192.168.1.1 -all"
  },
  "upstream_https": "default",
  "ip_filter_mode": {
    "count": "single",
    "geo_filter": "none",
    "order": "none"
  },
  "ttl": 120
}'

Binding Format of the SPF Record

The binding format for the SPF record is as follows:

vergecloud.site.          120   IN    TXT   "v=spf1 a mx ip4:192.168.1.1 -all"

How SPF Records Affect You as a Customer

As a VergeCloud customer managing your domain's DNS records, understanding and configuring SPF appropriately can have several effects:

  • Email Security: Proper SPF configuration helps protect your domain from being used in email spoofing and phishing attacks, enhancing your domain's reputation and trustworthiness.
  • Email Deliverability: Correctly set SPF records improve the likelihood that your legitimate emails reach recipients' inboxes rather than being marked as spam.
  • Compliance: Adhering to email authentication standards like SPF ensures compliance with industry best practices and may be required by certain email service providers.

Use Cases for Configuring SPF Records

Selecting the right SPF configuration depends on the specific needs and scenarios of your domain. Here are common use cases:

  • Allowing Emails from Authorized IPs: If your domain's emails are sent only from specific servers (e.g., your web server or a third-party email service), configure SPF to authorize these IPs. This restricts unauthorized servers from sending emails on behalf of your domain.
  • Configuring for Third-Party Email Services: When using services like G Suite, Mailchimp, or other email providers, include their SPF records to authorize their servers to send emails on your behalf.
  • Combining Multiple Email Sources: If your domain sends emails from multiple sources (e.g., your own servers and third-party services), use mechanisms like include and a to encompass all authorized senders within a single SPF record.
  • Maintaining Flexibility During Changes: When planning to change email service providers or add new sending servers, using a flexible SPF configuration with appropriate mechanisms and TTL settings ensures smooth transitions without disrupting email deliverability.

Best Practices for Configuring SPF Records

To optimize your email authentication and DNS configuration, consider the following best practices when setting SPF values:

  • Assess Authorized Senders: Identify all servers and services that are authorized to send emails on behalf of your domain. Ensure they are accurately represented in your SPF record using the appropriate mechanisms.
  • Use Mechanisms Appropriately: Utilize mechanisms like ip4, include, a, and mx to precisely define authorized senders. Avoid overusing broad mechanisms that may inadvertently authorize unauthorized servers.
  • Limit the Number of DNS Lookups: SPF records should not cause excessive DNS lookups, as this can lead to SPF validation failures. Aim to keep the number of include mechanisms to a minimum and consolidate where possible.
  • Implement Failures Appropriately: Use -all to enforce strict rejection of unauthorized emails or ~all to mark them as soft failures. Choose the policy that best aligns with your security and deliverability requirements.
  • Combine with DKIM and DMARC: Enhance your email security by implementing DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) alongside SPF. These protocols work together to provide robust email authentication and reporting.
  • Regularly Review and Update: Periodically audit your SPF records to ensure they reflect any changes in your email sending infrastructure. Remove obsolete mechanisms and update IP addresses or included domains as necessary.

Configuring SPF Records in VergeCloud’s Dashboard

VergeCloud offers an intuitive dashboard for managing DNS records, including setting SPF values. Follow these steps to configure SPF:

  1. Select Your Domain: Log in to your VergeCloud account and navigate to the dashboard. Select the domain for which you want to configure the SPF record (e.g., vergecloud.site).
  2. Navigate to DNS Records: Within your domain’s settings, locate the DNS Management section provided by VergeCloud. This area allows you to view and edit DNS records associated with your domain.
  3. Create or Edit a TXT Record: To set the SPF value for a new or existing DNS record:
    • For New Records: Click on "Add Record" and enter the required details (e.g., Type, Name, Value).
    • For Existing Records: Click the edit icon next to the record you wish to modify.
  4. Specify the SPF Value: Enter your desired SPF policy in the Value field. For example: 
    "v=spf1 a mx ip4:192.168.1.1 -all"
  5. Set the TTL Value: Enter your desired TTL value in the TTL field. VergeCloud’s default TTL is preset to two minutes (120 seconds), but you can adjust it based on your needs.
  6. Save the Record: After entering or modifying the SPF value, save the TXT record within the VergeCloud User Panel. It may take some time for DNS changes to propagate globally.
  7. Verify the Configuration: Use DNS lookup tools or the VergeCloud dashboard to verify that the SPF record has been correctly added and is active. For example, you can use the dig command: 
    dig TXT vergecloud.site +short

By carefully configuring SPF records, you can enhance your domain's email security, reduce the risk of unauthorized email sending, and improve email deliverability.


    • Related Articles

    • DMARC Record and Configuration in VergeCloud User Panel

      DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, is a crucial email authentication protocol provided by VergeCloud. It leverages two existing mechanisms, SPF (Sender Policy Framework) and DKIM (DomainKeys ...

    • Time to Live (TTL) and DNS Record Configuration in VergeCloud User Panel

      Time to Live (TTL) Time to Live (TTL) is a fundamental parameter in the Domain Name System (DNS) that specifies the duration (in seconds) that a DNS record is allowed to be cached by a recursive resolver. Essentially, TTL determines how long DNS ...

    • AAAA Record and Configuration in VergeCloud User Panel

      For a browser to access a website, it must first determine the website's IP address. The DNS service plays a crucial role in this process, converting the entered domain name into the corresponding IP address. The distributed DNS database contains ...