SPF
SPF Record Lookup
Use this tool for lookup and validate your SPF record.
The tags and their definitions
| TAG | TAG DESCRIPTION |
|---|---|
| v (required) | The version tag. is the only allowed value is "spf1". If it's incorrect or the tag is missing, the SPF record will be ignored. |
| ip4 | This tag should include all the IPv4 addresses that are allowed to send emails on behalf of the domain. |
| ip6 | This tag should include all the IPv6 addresses that are allowed to send emails on behalf of the domain. |
| a | The A record tag allows the SPF to validate the sender by domain name's IP address. If left unspecified, it takes the value of the current domain. |
| mx | The MX record tag checks the MX record of the mail server(s). If left unspecified, it takes the value of the current domain. |
| ptr (Not recommended) | The PTR tag prompts a PTR check for client IP hostname(s). It's a not recommended tag as per RFC 7208, because it spends too many DNS lookups. |
| exists | The exists tag checks if an A record exists or not on the mentioned domain. |
| include | The include tag is of top importance for a correct SPF record. Listing all your sending sources under this tag lets the recipient know that you verify all the aded domains/subdomains as legitimate sources. |
| all (required) | All is a required tag. It should be placed at the end of the SPF record. Depending on the qualifiers used (~, +, -, ?), this mechanism indicates how the recipient should treat emails from non-authorized sources. |
What is EasyDMARC's SPF Record Checker and Lookup Tool?
Our SPF Record Checker and Lookup tool allows you to check if an SPF record is published on a domain and deployed correctly. It also features a DNS lookup counter.
What is SPF Lookup Used for?
While this tool checks for SPF records, it also counts DNS lookups, including main and nested lookups to ensure correct configuration.
How Does the SPF Record Checker Help?
It helps when there is a need to add a specific domain to a record to send emails on behalf of your organization. Our SPF Record Checker tool is useful if you want to check:
- IP addresses of the sources are correct.
- That no syntax errors exist.
- That no ‘10 DNS lookup’ errors exist.
Why Should You Set an SPF Record?
The SPF record protects a company’s domain from being spoofed while improving its sender reputation with MBPs (Mailbox Providers) such as Google, Microsoft, Verizon, etc. Most companies and individuals use SPF records to prevent spoofing and enhance email security and deliverability.
How to Check SPF Records?
Easy! Simply use our free SPF Record Checker tool on our EasyDMARC platform. Enter the domain name in the box and click 'Check SPF.' You'll receive all lookup and check results for that domain momentarily.
How Does SPF Authentication Work?
When an email is sent, the receiving server checks the sender’s return-path address, and verifies if the domain in use has a valid SPF record by performing a DNS query. If it passes, it is authenticated and delivered to the recipient's mailbox.
What are Some SPF Best Practices?
- 1. Only include sources in your SPF record if you're sure that the Return-Path domain is yours: Some third-party ESPs, such as Mailchimp, handle your bounces, so they have their own domain in the Return-Path address. For sources like Mailchimp, you don't need to add their "include" in your SPF record.
- 2. Use either "~all" or "-all" mechanisms and avoid using "+all" or "?all": Both "~all" and "-all" work in the same way by marking SPF failures. It's important to avoid using "+all" because it whitelists all email sources, and "?all" is neutral, which means it neither passes nor fails SPF checks.
- 3. Avoid using the redirect= mechanism in your SPF record: Using redirect= can limit users by not letting them add other sources. As organizations tend to use multiple email strategies, it can limit that process. Instead, include all authorized email sources in your SPF by "include:" and other mechanisms.
- 4. If your domain is hosted on third-party email service providers (ESPs) such as Google, Microsoft, Zoho Mail, etc., avoid using MX & A in your SPF record and use a list of IP addresses instead. The reason is that Google and Microsoft's MX IP addresses differ from their outgoing mail servers. Instead, you can use the "include" mechanism that third-party ESPs give you.
- 5. Use DKIM and DMARC to complement your SPF record: SPF is only one of the three main email authentication methods. We recommend implementing DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) to improve your email deliverability and protect your domain from email spoofing and phishing attacks.
What Are Some SPF Record Examples?
1. Allow only one server to send email:
v=spf1 ip4:198.51.100.1 -all
This SPF record allows only the mail server with IP address 198.51.100.1 to send emails. All other servers will be considered unauthorized.
2. Allow a list of IP addresses within a given range to send email:
v=spf1 ip4:192.0.2.0/24 -all
This SPF record allows any server with an IP address within the range of 192.0.2.0/24 to send emails. All other servers will be considered unauthorized.
3. An SPF record that includes a third-party email service:
v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all
This SPF record allows any servers listed in Google's SPF record (_spf.google.com) and Microsoft's SPF record (spf.protection.outlook.com) to send emails on behalf of the domain. All other servers will be considered unauthorized.
4. SPF record that combines IPv4, IPv6, and third-party services:
v=spf1 ip4:192.0.2.0/24 ip6:2001:0db8:85a3::/64 include:_spf.google.com include:spf.protection.outlook.com -all
This SPF record allows any server with an IPv4 address within the range 192.0.2.0/24, any server with an IPv6 address within the range 2001:0db8:85a3::/64, as well as any server listed in Google's SPF record (_spf.google.com) and Microsoft's SPF record (spf.protection.outlook.com), to send emails on behalf of the domain. All other servers will be considered unauthorized.
How Does the Sender Policy Framework Protect Email?
The Sender Policy Framework (SPF) is an email authentication protocol that helps protect email by preventing email spoofing. Email spoofing is sending emails from a fake email address or domain to impersonate someone else. SPF allows domain owners to specify a list of IP addresses authorized to send emails on their behalf.
When the receiving mail server gets an email, it checks the SPF record of the sender's domain to see if the IP address used is authorized. If it's not, the receiving mail server can reject the email or mark it as spam.
SPF is one of the oldest authentication methods, but it is not foolproof. One limitation of SPF is that it only checks the "envelope" sender address, which is used for routing purposes. It doesn't look at the "From" address visible to the recipient. This means that SPF cannot prevent all types of email spoofing, for example, when an attacker uses a legitimate but compromised email account to send malicious emails.
Moreover, SPF is just one of several email authentication methods, including DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC). Most mail servers don't solely rely on SPF policy to accept or reject emails. However, some local providers still "respect" the original SPF policy with -all, which means that if an email fails the SPF check, it'll be rejected.
How to Implement and Manage an SPF Record?
1. Publish DMARC record with EasyDMARC to start receiving aggregate reports: One of the first things you can do to get the most out of your SPF record is to publish a DMARC record. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that helps prevent email spoofing and phishing. With DMARC, you can specify how the receiving servers should handle your email messages if they fail SPF and DKIM checks. EasyDMARC platform helps you get started with DMARC in just a few clicks and provides DMARC reporting and monitoring capabilities, which offer valuable insights into your email authentication processes.
2. Gather and evaluate data on your sending sources: Use the reports to gather data and evaluate your sending sources to advance your email authentication efforts. This information will help you identify the list of IP addresses and domains you must include in your SPF record. EasyDMARC gives you tools to analyze your email traffic and identify your legitimate sending sources.
3. Create a TXT Record including all your sources: Create an SPF TXT record that includes all your sending sources. Your SPF record should specify the list of IP addresses and domains authorized to send emails on behalf of your domain. Your SPF record might look like this:
v=spf1 include:thirdpartydomain.com include:anotherthirdpartydomain.com ip4:[ip-address] ~all
This record authorizes two third-party domains to send emails on behalf of your domain and includes a specific IP address.
4. Publish your SPF TXT record in the DNS: After creating your SPF TXT record, publish it in your DNS. Your DNS zone is a database that contains information about your domain's DNS records. You can add your SPF TXT record to the DNS zone file using your domain registrar or DNS hosting provider's control panel.
5. Ensure that everything is published correctly using an SPF diagnostic tool: After posting your SPF record, verify that everything is working using an SPF checker tool. This step validates your SPF record's syntax and confirms it works correctly.
6. Evaluate further reports and ensure SPF is passing: You must evaluate the reports you'll receive periodically to ensure your SPF record is passing. Use EasyDMARC to monitor your email authentication process and receive reports on your SPF record status. If your SPF record is not passing, update it to include additional authorized sending sources.
Implementing an SPF record is essential to ensure your email messages are delivered successfully to your recipient inboxes. Following the steps outlined above and using a reliable tool like EasyDMARC, you can create and manage an adequate SPF record that helps prevent email spoofing and phishing attacks.
How To Check SPF Record via Command Line via Dig Tool?
If an SPF diagnostic tool isn't your cup of tea, use the command line to check your SPF record.
1. Open your terminal or command prompt on your computer.
2. Type in dig txt domain.com or nslookup -q=txt domain.com. Replace domain.com with the domain name you want to check.
3. Click "Enter" to execute the command.
4. You will see a list of TXT records associated with the domain.
5. Look for the TXT record that starts with v=spf1. This is the SPF record for the domain.
dig txt easydmarc.us
; <<>> DiG 9.10.6 <<>> txt easydmarc.us
;; global options: +cmd
;; Got answer:
;;->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9197
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;easydmarc.us. IN TXT
;; ANSWER SECTION:
easydmarc.us. 300 IN TXT
"google-site-verification=owAbrNJsOW4Kw2ffnetssKwxLsS1QRx6JLxOGNnzB8k"
easydmarc.us. 300 IN TXT "v=spf1 include:_spf.easydmarc_us._d.easydmarc.pro ~all"
easydmarc.us. 300 IN TXT
"hubspot-developer-verification=YzNkN2ZiN2QtZmM1OS00Nzc0LThiMzItYWY5NGYzZDY3Yzc0"
easydmarc.us. 300 IN TXT "MS=ms26216209"
;; Query time: 29 msec
;; SERVER: fe80::56be:53ff:fe7b:6381%11#53(fe80::56be:53ff:fe7b:6381%11)
;; WHEN: Wed Mar 22 15:20:53 CET 2023
;; MSG SIZE rcvd: 307
How Does SPF Impact Email Deliverability?
Sender Policy Framework (SPF) is an essential email authentication protocol for improving email deliverability. By authorizing specific IP addresses to send emails on behalf of a domain, SPF helps to verify the authenticity of incoming messages. When an email has a valid SPF record, it's more likely to be trusted by receiving mail servers, leading to improved deliverability rates.
Additionally, SPF is a critical component in achieving DMARC compliance, essential for maintaining a positive email reputation and enforcing email authentication protocols. By implementing SPF alongside DKIM, organizations can ensure their emails are correctly authenticated and protected from spoofing or phishing attacks, ultimately leading to higher deliverability rates and better overall email performance.
What Are the Common Mistakes During SPF Record Setup?
When setting up SPF records, it's essential to avoid common mistakes that can lead to email delivery issues or security vulnerabilities. Here are some of them:
1. Avoid using the deprecated PTR tag in your SPF record.
2. Don't add multiple SPF TXT records on a single root domain or subdomain level, as this can cause conflicts and lead to unpredictable email delivery results (permerrors).
3. Be cautious about adding a source if the Return-Path domain doesn't match your organizational domain. This can increase the risk of unnecessary DNS lookups and exceed the 10 DNS lookup limit.
4. Avoid exceeding the 10 DNS lookup limitation. This can cause SPF permerror, negatively affecting your email delivery and inbox placement.
5. Avoid using the 'all' mechanism with the '+' qualifier (+all). This can whitelist any server to send emails from your domain, causing the SPF to pass in all cases. This configuration will compromise your email security.
6. Make sure to keep your SPF record up to date, especially if you change your email infrastructure or use a new email service provider.
7. Use a diagnostic tool to test your SPF record before deploying it. This approach will ensure the SPF is valid and correctly configured.
8. Avoid creating overly complex SPF records. Long and complicated syntaxes increase the likelihood of errors and make it harder to manage.
How To Troubleshoot SPF Authentication Failures?
1. Verify the SPF record: The first step is to verify that the SPF record configuration is correct. Check the SPF record using EasyDMARC's SPF Checker or command-line tool to ensure all the authorized IP addresses and sources are listed.
2. Check IP addresses: If the SPF authentication fails for a specific IP address, verify that the IP address is authorized to send emails on behalf of the domain. You can do this by checking the SPF record to ensure that the IP address is listed or by whitelisting the IP address if it needs to be added.
3. Check email headers: Check the email headers to see if there are any clues about why the SPF authentication is failing. Look for the "Received-SPF" header to see the result of the SPF check.
4. Verify alignment: If the SPF alignment is failing, the problem could be with the ESP portal. Check the ESP portal to ensure you're using the correct domain for the sender's email address.
Do I Need an SPF Automation for SPF Record Management?
We strongly recommend automation, especially if you’re managing multiple domains in large organizations.
While it is possible to manually manage your SPF record, efficiency and speed are what you get with SPF record management services like Managed SPF by EasyDMARC. You can avoid making syntax errors during SPF configuration and management that would render your record useless. Keeping the record up-to-date is yet another benefit of using a managed solution. We recommend you assess your organization’s needs and circumstances to make the right choice.
What is a DNS Lookup Limitation?
10 DNS lookups is one of SPF's limitations. Each time an email server receives an email, it needs to look up the SPF record for the sender's domain to determine whether the email is legitimate or not. If the checks bypass the limit, SPF fails.
Each additional lookup adds to the email processing time and can increase the risk of email delivery delays or timeouts
What Is an SPF PermError?
SPF permerror (i.e. permanent error) is a common SPF issue that stems from the record containing a serious problem that hinders record interpretation. It results in SPF failure and the email in question doesn’t get delivered.
What Are Some Common Causes of an SPF PermError?
SPF PermError occurs when:
- One domain has multiple SPF records
- The SPF record contains syntax errors
- DNS lookups exceed the allowed limit of 10
Investigating your SPF record with a diagnostic tool like our SPF Checker will help you to find and resolve them, ensuring DMARC compliance and better inbox placement.
How Does an SPF PermError Affect Email Deliverability?
Email deliverability improvement is an indirect effect of implementing email authentication protocols (SPF, DKIM, and DMARC). DMARC rests on SPF and DKIM protocol success. If one of them fails, the chance of DMARC success is drastically diminished. SPF permerror causes the SPF protocol to fail, so DMARC compliance and, consecutively, email deliverability is endangered.
What Is SPF Flattening, and Why Is It Necessary?
SPF flattening replaces SPF mechanisms that complicate the record with IP4 and IP6 rules, eliminating multiple DNS lookups and leaving the record in a better shape. Leaving the process with a trusted SPF service also reduces your involvement, automating it.
What Happens When You Exceed The SPF DNS Lookup Limit?
If the Sender Policy Framework (SPF) DNS lookup limit is exceeded, the SPF record validation will fail, and the receiving email server will likely reject the email message or mark it as spam. This can negatively impact email deliverability and may result in important emails being blocked or sent to the recipient's spam folder.
How to Fix An "SPF Too Many DNS Lookups" Error?
"SPF too many DNS lookups" error occurs when your SPF record includes multiple mechanisms that require DNS lookups, such as "include" and "a" or "mx" mechanisms, and the total number of lookups exceeds the limit of 10, set by the SPF specification.
1. Remove unnecessary include: mechanisms
2. Use the IP4 and IP6 method
3. Remove mechanisms with duplicate functionality
4. Eliminate "ptr" mechanism
You can do everything manually, but it would be much easier if you sign up to a service like EasyDMARC's Managed SPF and configure a flattened SPF for your domain.