E-mail authentication became more and more important as e-mail phishing attacks grow and the average loss for mid size companies become bigger and bigger. EasyDMARC’s SPF record lookup tool shows that 68% of checked domains have issues with SPF record.
In general, e-mail authentication can be reached by SPF, DKIM, DMARC protocols. SPF, in particular, is the mechanism that prevents fraudsters and hackers from sending unauthorized e-mails on behalf of corporate domain.
From configuration’s standpoint SPF is a DNS TXT record. The SPF txt record defines authorized sources such as domains or IP addresses.
Setting up the SPF record
There are 3 easy steps to setup SPF record:
1. Create an SPF record that fits your needs
2. Publish the SPF TXT record into your DNS configuration
3. And finally, after DNS propagation run the SPF record lookup tool to be sure that SPF lookup has no failures.
How to create an SPF record
For example, if you use several services, e.g. Google apps, ZenDesk or an in-house e-mail server to send emails from your domain, then the SPF record will look like:
v=spf1 ip4:18.104.22.168/32 include:mail.zendesk.com include:_spf.google.com -all
Let’s go into details:
- v=spf1 is the version of the protocol
- ip4:22.214.171.124/32 is the IP address of your server
- include:mail.zendesk.com include:_spf.google.com part defines the services that you use to send e-mails
- and at last, -all is the published SPF policy.
To simplify SPF record creation you can use any free SPF record generator. EasyDMARC’s SPF Record generator is particularly made to make the process easy and fast.
Limitations to SPF record
You can include several SPF records into each other but due to security reasons SPF record can’t have more than 10 lookups. If you have more then 10 SPF lookups, you need to fix it with SPF lookup tool or you can ask EasyDMARC support to help you, otherwise e-mail service providers will skip your SPF record.
SPF record also can’t contain more than 255 symbols. To solve this problem you have 2 options:
- You can create several sub SPF records and include them in your main record:
example: v=spf1 include:_spf1.exapmle.com include:_spf2.example.com -all
- You can concatenate multiple strings together without adding spaces.
example: v=spf1 stringA stringB -all can be changed to v=spf1 AB string -all
Preventing Lookup Loops
This is quite an advanced configuration and requires experience to set this up smoothly in short time. If you have difficulties you can always reach EasyDMARC support.
Verifying SPF configuration
After DNS propagation, you need to check the record with SPF lookup tool.
If you see green color without mentioned issues – then you did it!
Curious how to check SPF record ?
Generally speaking after publishing good SPF record you have done the first step for your e-mail authentication process. After it you need to publish your DKIM and DMARC records.
Here are several articles that will help you to setup DKIM and DMARC records:
How to fix No DMARC record found
Stop worrying about email phishing
Furthermore, we recommend to use monitoring and alerting for your SPF record. You should maintain it to have latest correct values and not be outdated. Remember that outdated SPF record may result in e-mail rejections.
Make sure to follow this article in case you come across SPF too many DNS lookups permerror.
As can be seen manual setup is quite tough and there are many places to [do wrong things]. That is why we created EasyDMARC. EasyDMARC guides you step by step to reach perfect e-mail authentication in short terms.