howTo: Add Your SPF Record
So we have learned what a SPF record is and how important it is for our email deliverability. Let us now look deeper into how it can impemented on your own for free.
This guide has been tested and confirmed to work as described. However, please ensure you fully understand the steps before implementation to avoid errors. If you have questions, feel free to contact us at [email protected].
Add an SPF Record
- Log in to Your Domain Registrar's DNS Management Portal:
- Access the DNS management section where you can modify or add TXT records.
- Add a TXT Record: Example for a single sender:
v=spf1 include:_spf.google.com -all
In this example,_spf.google.comrepresents the SPF record for
Google Workspace as the email-sending service.
Scenarios with Multiple Senders
If your domain sends emails through multiple services or systems, your SPF record must include each sender. Below are common scenarios and examples:
Scenario 1: Random Server IP
You have a server with a specific IP address (e.g., 192.168.1.10) sending emails. v=spf1 ip4:192.168.1.10 -all
Scenario 2: Email Marketing Sender
If you use an email marketing platform like Mailchimp or SendGrid, they provide an SPF record to include. Example:v=spf1 include:servers.mcsv.net -all
Scenario 3: Helpdesk Sender
If your helpdesk software (e.g., Zendesk) sends emails, include their SPF record. Example:v=spf1 include:mail.zendesk.com -all
Scenario 4: Scanner Email Alerts Sender's IP
Your office scanner sends email alerts from a specific IP (e.g., 203.0.113.5).
v=spf1 ip4:203.0.113.5 -all
Combining Multiple Senders in a Single SPF Record
When multiple services and servers are involved, combine them into one SPF record. For instance, if your domain uses:
- Google Workspace
_spf.google.com - Mailchimp
servers.mcsv.net - A scanner sending alerts from IP
203.0.113.5
Your SPF record would look like this:v=spf1 include:_spf.google.com include:servers.mcsv.net ip4:203.0.113.5 -all
Scenario with Multiple IPs in an SPF Record
If your domain sends emails from multiple servers with distinct IP addresses, you can include each IP in the SPF record.
Example
Suppose your email-sending infrastructure includes:
- Server 1: 192.168.1.10
- Server 2: 203.0.113.5
- Server 3: 198.51.100.25
Your SPF record would look like this:v=spf1 ip4:192.168.1.10 ip4:203.0.113.5 ip4:198.51.100.25 -all
This configuration explicitly allows emails to be sent from these three IP addresses.
Adding Multiple IP Ranges
If your servers fall within a contiguous IP range, you can simplify the SPF record using CIDR notation. For example:
Range: 192.168.1.0/24 (covers 192.168.1.0 to 192.168.1.255)
The SPF record would then be:v=spf1 ip4:192.168.1.0/24 -all
Combining IPs with Other Senders
If you also use email services like Google Workspace and Microsoft 365, combine them with the IPs. For example:
- Google Workspace
_spf.google.com - Microsoft 365
spf.protection.outlook.com - Three dedicated IPs:
192.168.1.10, 203.0.113.5, 198.51.100.25
Your SPF record would be:v=spf1 include:_spf.google.com include:spf.protection.outlook.com ip4:192.168.1.10 ip4:203.0.113.5 ip4:198.51.100.25 -all
This configuration authorizes all specified servers and services to send emails on behalf of your domain while blocking unauthorized sources.
nb. You will always contact the support for your email sending service or review their documentation to know domain or IP address to be used in your SPF record.
Additional Scenarios You Might Encounter
- Office 365 (Microsoft Exchange Online):
v=spf1 include:spf.protection.outlook.com -all- Third-Party Email Gateways (e.g., Barracuda):
v=spf1 include:barracudanetworks.com -all- Transactional Email Services (e.g., Postmark, SES): For AWS SES:
v=spf1 include:amazonses.com -all - Web Application Sending Emails (e.g., WordPress): If hosted with an external provider like SiteGround or GoDaddy, using their SPF guidelines you may have something looking like:
v=spf1 include:spf.secureserver.net -all
Considerations for Complex SPF Records
DNS Query Limit: Ensure the SPF record stays under the 10 DNS lookup limit. Each include: counts as one lookup, while listing IPs (ip4:) does not.
Record Size: DNS records have a size limit (255 characters per line). If your SPF record exceeds this, consider splitting it into multiple TXT records.
Validation: Always test the SPF record after creating or modifying in anyway for example after adding multiple IPs using tools like SPF Checker to ensure it’s correctly formatted before applying them to your domain's DNS records.
We Value Your Feedback!
Have you implemented using our guide?
We'd love to hear about your experience! Share your success stories, challenges, or suggestions at
. Let us know if there are specific improvements you'd like to see in our guide!
Have Questions?
If you have any questions or need clarifications, don't hesitate to reach out to us at
. We're here to help you secure your systems.
Thank you for helping us improve and supporting our mission to make cybersecurity accessible for everyone!
