An SPF record (Sender Policy Framework) is a DNS record that determines where mail appearing from your domain is allowed to originate from. Having a properly set SPF record means someone spoofing email is much less likely to have any success.
These records are only for servers that SEND mail on behalf of your domain.
Caveat: SPF (and related technology) is not being able to prevent emails from being sent as though they are your domain 100%, since it is up to the receiving mail system to check emails and allow or disallow. We’ll be covering DKIM and Dmarc in a future tutorial but they are related and worthwhile technologies to pursue in your spam-fighting quest.
You may need SPF records for services like:
- Email Provision (Google Apps, Office 365, GoDaddy)
- Email blast services (MailChimp, ConstantContact, Aweber)
- Web Server (WPENGINE, HostGator, MediaTemple)
- Accounting / Invoicing (Freshbooks, Quickbooks Online)
- CRMs (Salesforce, Microsoft Dynamics, Zoho)
SPF Record Formulation
A record begins with
v=spf1 and always ends with some form of
The final symbol before “all” determines what a receiving server should do with any email that doesn’t match your specified allowed sources:
"+" Pass (not having a qualifier in front of a mechanism e.g just include:sendgrid.net is the same as a “+”)
If we have a solid handle of all the services a client’s domain is using to send mail we’ll use “
-all“. This hard fails all mail that doesn’t match.
If we have some degree of uncertainty we’ll use a SoftFail “
We will likely use a SoftFail if we aren’t intimately involved in most aspects of a client’s web presence or if we haven’t built it from the ground up. There could be an unknown tool some part of the company is using that you could jeopardize with a Fail.
What you put in between determines what is allowed. These are called Mechanisms.
We typically only use three mechanisms…
The ip4 and ip6 mechanisms say “allow mail from these IP addresses or IP ranges”
The “include” mechanism says “look up the SPF record for the DNS zone and add it here”
Common SPF Records
The following is for posterity and no longer used by WPENGINE
include:sendgrid.net (this is for emails sent from WPENGINE User Portal e.g. backup and restore email notifications)
include:mailgun.org (this is for actual emails sent by the WordPress install)
Google Apps for Work SPF
Combine these within the record separated by spaces and in priority order by the highest volume senders to least.
v=spf1 include:_spf.google.com include:sendgrid.net -all
Keep the number of records to a minimum – they must generate less than 10 DNS lookups.
Adding an SPF Record to the DNS
Contrary to there being an actual “SPF” record type this should actually get added as a TXT record for the domain (@). (See RFC 7208)
Here is what it looks like in CloudFlare…
As a final step you should validate and make sure the record is correct. We like to use the MXToolbox’s SPF Lookup and Validation tool.
just wanted to thank you for taking the time to write this guide. It’s exactly what I needed and information is to the point. I wasn’t sure if I set my SPF records properly (I didn’t) and this article helped me set it in and check it in seconds. Thank you!
Blake Imeson says
Hi Miroslav, so glad you found it helpful!
Jayden Lawson says
You should also add include:mailgun.org to the services that WPEngine uses to send mail. See https://wpengine.com/support/dmarc-best-practices-get-email-inbox/
Blake Imeson says
Thank you for the updated info Jayden! I’m adding it to the post.
Chris Matthias says
This is currently outdated for WPEngine. They have switched from using a combination of mailgun and sendgrid and moved to relaychannels.net. They now recommend using `include:relay.mailchannels.net`
Blake Imeson says
Thanks for letting us know Chris!