It’s frightening to know that as many as 91% of all cybercrimes start with a phishing email sent to a target. The figures have risen significantly post covid, making it important to secure email domains. But how can this be done?
You can implement SPF, the first step towards DMARC compliance. You can also set up DKIM, and finally, DMARC—an email authentication standard that prevents fraudulent emails using your company’s domain name from being delivered.
To set up SPF correctly, you need to create SPF records for every domain your company uses to send emails from. This blog focuses on how to create an SPF record and its importance. First, let’s see what SPF is.
What is SPF?
SPF stands for Sender Policy Framework, an email authentication protocol that permits only authorized IP addresses to deliver emails on your company’s behalf. This means you can specify all trusted mail servers and third party email providers permitted to send emails using your company’s domain or name.
You’ll need to create an SPF record for every sending domain and subdomain. It’s a type of TXT record that gets published on your domain’s DNS (domain name system). The SPF record contains a list of all authorized sending sources for a specific domain.
But do you know how an SPF record works? When an email is sent, the recipient server verifies it using the SPF record and querying the domain’s return-path value mentioned in the email header.
The return-path is a hidden email header that tells receiving servers where bounced emails should go and how they should be treated.
The recipient server retrieves the SPF record from a particular domain’s DNS server. It then checks if the sender’s IP address contained in the return-path matches the list of IP addresses in the SPF record. This determines whether a sender is permitted to send emails from that domain or not. If yes, the SPF check passes, if not, it fails.
Adding an SPF record to your DNS is recommended as bad actors will be less likely to use your domain as a spam vector. Generating SPF records for all your sending domains also improves overall deliverability rates.
Before Setting up the SPF Record
To generate an SPF record, you need to ensure there isn’t a pre-existing record for your sending domain as only one is permitted. You can use EasyDMARC’s free SPF lookup tool to check whether it’s missing. If so, you can proceed with the steps listed below.
If you already have an SPF record but configuration issues or other errors exist, you’ll need to modify and update it to get it working properly.
Now, let’s see how to create an SPF record in five steps.
Gather the IP Addresses For All Your Senders
To generate an SPF record, identify which mail servers your company uses for sending emails. Some organizations use multiple sources to send emails.
So, to create an SPF record, first make a list of all sending mail servers and their respective IP addresses. Also consider all the entities authorized to send emails on your company’s behalf. Your list may include:
- Web servers
- Email service provider’s mail servers
- In-office mail servers like Microsoft Exchange
- End users’ email service providers
- Third parties sending emails on your behalf; for example, your PR agency
If you aren’t sure about the IP addresses, it’s best to reach out to your email service provider to obtain a list of all the IP addresses associated with your account.
Gather All Sending Domains
It’s possible that your company has multiple domains, but only a few are used for sending emails. To set up an SPF record in such a case, you must create SPF records for all the domains you control.
This also includes the ones not used for mailing. It’s absolutely necessary because hackers often spoof non-sending domains, even if the sending domains have SPF records.
Create an SPF Record
Once you’ve compiled your list of sources permitted to send emails on behalf of your domain, you can create an SPF record. Here’s how:
- Start with the v=spf1 tag, which tells servers that this is an SPF record.
- After the v=spf1 tag, list all authorized IP addresses. For example: “v=spf1 ip4:34.263.61.227 ip6:2a03:d015:e3:8c00:bb61:dea4:8b43:851e”
- Next, add an ‘include’ statement for any third party authorized to send emails on your behalf. For example: “include:3rdpartydomain.com”
- Be sure to ask such a third party for the correct domain to include here.
- After adding all authorized IP addresses and ‘include’ statements, use the ~all or -all tag to end the SPF record.
- ~all indicates a soft fail, where emails failing SPF verification are typically delivered to the junk or spam folders.
- -all indicates a hard fail, where email failing SPF verification are rejected and blocked.
- The +all tag should never be used as it allows all emails from unverified sources to be delivered.
Using the correct SPF record syntax is vital and the record should be no more than 255 characters long. It shouldn’t have more than 10 ‘include’ statements, either. Here’s an SPF record example:
v=spf1 ip4:1.2.3.4 ip4:2.3.4.5 include:thirdparty.com -all.
It seems complicated but you can use EasyDMARC’s SPF record generator to do this quickly and easily.
Publish the SPF Record in Your DNS
We’ve answered the question: ‘How to create an SPF record for my domain?’ Next, here’s how you can publish it to your DNS.
If you’re using the services of a good hosting provider, the job gets simpler.
- First, sign in to your domain’s management console, choose which domain you’re adding an SPF record to, and go to ‘manage DNS records.’
- Next, go to the ‘add DNS TXT record’ option.
- Enter your domain in the ‘Host value’ field.
- The ‘TXT value’ field is where you’ll copy and paste the SPF record you created, as explained above.
- Leave the Time to Live (TTL) as the default, usually 300.
- Hit ‘Add record’ and you’re done.
The SPF record has to be applied to subdomains, so check whether your domain provider allows you to add SPF records directly to subdomains. If not, add another SPF record to your primary domain using the steps above and change the ‘Host Value’ to apply it to the subdomain.
Ensure the Record Works
Test if your SPF record is working with EasyDMARC’s free SPF record checker tool. You’ll then see a list of the servers authorized to send emails on behalf of your sending domain. The tool also picks up any misconfigurations or typos to ensure quick and easy validation.
If one or more of your legitimate sending IP addresses isn’t listed, you can update your record to include it.
Summary
Adding an SPF record to DNS is a practical way to prevent threat actors from exploiting your domain to send fraudulent and malicious emails. It lowers bounce backs, increasing your domain reputation and improving email deliverability.
Once you’ve correctly created an SPF record and published it, only emails from authorized senders pass SPF verification. SPF isn’t only an easy way to minimize email fraud, it’s also a crucial step towards DMARC compliance.