Skip to main content
In this chapter
< Contents
Print

How does an SPF record work?

Sender Policy Framework (SPF) is a mechanism to prevent email spoofing and spamming. It enables email recipients to check whether a particular email was actually sent from an authorized server.

An SPF record is a DNS setting that specifies which servers are authorized to send emails on behalf of a domain. When an email is sent from a server, the email recipient checks the SPF record of the sender's domain to ensure that the server from which the email originates is actually authorized to send emails on behalf of the domain.

The structure of an SPF record looks like this:

v=spf1 [Parameter]

The parameter specifies which servers are authorized to send emails on behalf of the domain. There are various parameters that can be used in an SPF record:

  • A: This parameter specifies that the server in question is authorized to send emails on behalf of the domain. The syntax is "a:" or "a:".
  • MX: This parameter specifies that all servers listed as MX records for the domain are authorized to send emails on behalf of the domain.
  • include: Mit diesem Parameter können SPF-Einträge von anderen Domains in den SPF-Eintrag der aktuellen Domain aufgenommen werden. Die Syntax lautet „include:“.
  • ~all: This parameter specifies that if a server attempts to send an email on behalf of the domain that is not listed in the domain's SPF record, the email may be marked as spam but not rejected.
    This option offers some flexibility and is helpful if you are not sure whether all servers sending emails on behalf of your domain are listed correctly.
  • -all: This parameter is much stricter than ~all. If a server attempts to send an email on behalf of the domain but is not listed in the domain's SPF record, the email is always rejected and not delivered.
    This option offers a higher level of security and is recommended if you want to ensure that only authorized servers can send emails on behalf of your domain.
  • ?allMeans that the result of the check is not taken into account. We do not recommend this option because it would allow anyone to send emails on behalf of the domain and the SPF record would therefore be useless.

An example of an SPF record could look like this:

v=spf1 include:_spf.google.com include:123.123.123.100 ~all

This entry states that all servers listed in the SPF record of the domain "_spf.google.com" are authorized to send emails on behalf of the domain. In addition, the server with the IP 123.123.123.100 is authorized to send emails on behalf of the domain.

If a server is not included in the SPF record, the email is marked but not rejected.

Overall, an SPF record is an important part of email authentication. It helps to improve the security of email communications and reduce spamming and email spoofing. If you own a domain, you should ensure that you have a correct SPF record set up for your domain to ensure that your emails are not marked as spam.

Tags: