Setting up or fixing and SPF record can be pretty difficult. It requires time, precision, and a deep understanding of how your different email sending systems work together. Who you authorize to send emails on your behalf, impacts the delivery of your business' emails. To get started on the right foot, let's dive into the various ways of authorizing domains & IP addresses, and setting up an SPF record the right way.
An SPF record (RFC 7208) always consists of three types of content: the version, the mechanisms and the qualifier. The 'version' is always the same (since there's only one version available) and is always the first thing to mention in the record. If it is not, the receiving mail server will not recognize the TXT record as an SPF record and will fail the check. The version is always "v=spf1". Therefore, the SPF record in your DNS starts with: TXT v=spf1
You can only have one SPF record, as the RFC mentions:
A domain name MUST NOT have multiple records that would cause an authorization check to select more than one record.
To allow domains & IP addresses to send emails on your behalf, you need to use so-called mechanisms. These define the way you add trusted senders to the list, and how you want to deal with IP addresses that are not on that list. There are two types of mechanisms; basic mechanisms and designated sender mechanisms.
Basic mechanisms are a part of the SPF record, but are not used to authorize IP addresses:
Designated sender mechanisms are used to identify and authorize a set of IP addresses to send emails on your domain's behalf:
The records (a and mx) refer to the respective records of the subsequently specified domains. These records contain IP addresses that the receiving mail server will look up and check. This applies to both the specified domain (yourcompany.com) as well as its subdomains (mail.yourcompany.com): a mx yourcompany.com
You can also specify IP addresses and ranges for both IPv4 and IPv6 addresses in an SPF record. With this you grant permission to these addresses to sends emails on your behalf. This methods also saves on the number of lookups (max. 10); the IP addresses that may email on behalf of the domain are already in the record itself.
flowmailer.com TXT v=spf1 include:spf.flowmailer.net ~all
spf.flowmailer.net TXT v=spf1 ip4:220.127.116.11/27 ip4:18.104.22.168/27 ~all
It's possible to combine different mechanisms and include a multitude of IP addresses, pointers and records. The number of lookups is subject to a maximum of ten. A lookup is defined as when another DNS has to be 'looked up' to check the SPF record. These are pointers to other domains (includes) and records (a and mx). A combined (functioning) record could look like this, for example:
TXT v=spf1 a mx yourcompany.com ip4: 22.214.171.124/14 ip6:2a01:7c8:3:1337::27 include:spf.flowmailer.net ~all
To indicate what action the receiving mail server should take, before the all mechanism, specify a character:
~, -, + or ?:
To get your new SPF record to work, you will have to add the record in your Domain Name System (DNS) settings. You do this (in most cases) as follows:
An SPF record always consists of the version, one or more mechanisms and a qualifier. Building an SPF record, the version comes first (v=spf1), the mechanisms to include IP addresses are in the middle, and you close the SPF record with a qualifier (~, -, + or ?) + all.
Though mechanisms are limited in use (max. lookup of 10 & shouldn't exceed a certain length), these define what IP addresses are allowed to send emails on your behalf. Make sure to keep that list complete and updated regularly!