burger
Features

Every tool you need for AI sales outreach

Independent AI sales assistant

An extra pair of hands for your sales growth

Our best AI emails

Clients' favorite emails generated by AiSDR

End-to-end AI Sales Outreach

All your bases covered within one solution

AI for HubSpot sales

Make the best of your CRM data

AiSDR Website Illustrations | Starts and lightning icon 1
Speak with our AI

Let AiSDR try and convince you to book a meeting with us

Explore Q2 2024 outreach benchmarks Grab my copy
<Back to blog

What is SPF?

What is SPF?
Jul 1, 2024
By:
Oleg Zaremba

SPF is an email protocol that allows you to authorize which servers can send emails from your domain. Find out why SPF is essential

8m 17s reading time

Robust email performance is an art form. 

Some tactics are clear, like sending useful and engaging content. But there are other ‘infrastructural’ methods you can set up to make reaching your target email stats easier.

If your thoughtfully crafted email fails to land in a person’s inbox, it doesn’t always mean that the content is bad. Instead, the reason your email was quarantined may simply be because you didn’t implement certain email authentication protocols that allow servers to confirm your identity and validate your emails.

The Sender Policy Framework (SPF) is one of three essential email protocols you have to implement to ensure your emails reach inboxes: SPF, DKIM, and DMARC

In this post, we’ll explain what SPF is, how it works, and how you can set it up.

What is the Sender Policy Framework?

SPF allows domain owners to whitelist all email servers that are authorized to send emails from their domain. This authorization also provides protection against spoofing.

It’s similar to a car manufacturer’s list of authorized part distributors. 

If you check the manufacturer’s website and can’t find the business you want to buy parts from, that distributor may not be legit and the parts might not be genuine. 

But if the manufacturer’s website does list the distributor, the manufacturer is essentially saying the seller is official, the parts are genuine, and you can trust that seller.

SPF’s protection of emails works similarly. 

SPF lists servers that are authorized to send emails from your domain.

This list is called an SPF record.

When an email with your name in the “From” field arrives from a server that’s not included in your SPF record, security systems get triggered and they send an alert that there’s an attempt at spoofing. 

But if an email bearing your name comes from an SPF-authorized address, the receiver’s server deems it safe.

What does an SPF record look like?

An SPF record is a specially formatted line of text that stores a list of authorized mail servers for your domain.

An SPF record consists of:

  • A prefix that identifies it as an SPF record
  • A formatted list of servers that are identified by their IP addresses
  • An “-all” ending telling the recipient’s server to reject all emails coming from addresses not included in the list

Some SPF records use “~all” as an alternative ending. This allows a server to accept emails from unlisted addresses, but such emails will be marked as spam.

It’s important to note that there can only be one SPF record associated with a domain. 

Although some email authentication methods allow the use of multiple lists (such as DKIM), the SPF protocol does not allow multiple records.

Brief explanation of SPF record syntax

The syntax of SPF records defines which servers are authorized to send emails on behalf of a domain.

Here’s a simple breakdown:

Basic syntax

v=spf1 [mechanisms] [modifiers] ~all

Here’s what each part means:

  • v=spf1 – This specifies the version of SPF being used (always v=spf1)
  • Mechanisms – These are rules that determine which IP addresses or domains are allowed to send emails. Common ones include:
    • ‘ip4’ or ‘ip6’: Allows specific IP addresses
    • ‘a’: Matches the domain’s A record
    • ‘mx’: Matches the domain’s mail servers (i.e. MX records)
    • ‘include’: Allows other domains (e.g., include:_spf.google.com)
  • Modifiers – These define how mechanisms are treated. These are the possible results:
    • + (pass): Default
    • - (fail): Emails from unauthorized sources are rejected
    • ~ (soft fail): Emails from unauthorized sources are accepted but marked as spam
    • ? (neutral): No specific action to take
  • ~all – Ends the record and allows servers to treat emails from unlisted addresses as spam

Here’s what this might look like in action:

Example SPF record

v=spf1 ip4:192.168.0.1 include:_spf.example.com ~all

This means:

  • Allow emails from the IP address 192.168.0.1
  • Include other authorized servers with the domain example.com
  • Treat all other emails as spam

How does SPF work?

The process of email authentication using SPF can be broken down into three main steps:

  • Publishing the SPF record
  • Performing Domain Name System (DNS) lookups
  • Verifying the SPF record

Publishing the SPF record

After you set up an SPF record (more on that later), you’ll need to publish it in your DNS so it’s available to everyone who needs to verify the authenticity of your email.

Performing DNS lookups

When a server receives your email, it extracts your domain name from the return-path address (an address to send bounced mail to, hidden in your header) and looks up an SPF record for this domain in your DNS records.

If you have an SPF record, the server uses it to verify the sender’s address.

Verifying the SPF record

The server searches the SPF record for the sender’s IP address. 

If the address is on the list and marked as authorized, the email goes through to the receiver. 

Otherwise, the email fails the server’s SPF check and the server may bounce the email back to the return-path address, delete it, or flag it as spam.

Why is SPF important?

On February 1, 2024, Google released new guidelines that mandated SPF or DKIM for everyone sending emails to Gmail accounts. 

However, SPF offers more than just compliance with Google’s policies.

A published SPF record makes it harder for malicious parties to impersonate your domain. 

Although it doesn’t guarantee 100% protection, your recipients will be safer from spoofing or phishing attempts when opening your emails. 

Here’s a bit of a closer look at how SPF enhances email security and deliverability.

Greater email security and trust

The Simple Mail Transfer Protocol (SMTP) – a standard communication protocol for emails – provides no protection against someone using the “From” field to pretend to be you. 

SPF makes sure the email was sent from an authorized server, regardless of what name is in the “From” field, which delivers an important layer of security.

Improved email deliverability

Without a published SPF record, receiving servers may not trust emails from your domain. As a result, emails may bounce or get marked as spam.

Too many bounces can tank your sender reputation with mail servers, which means your future emails become even more likely to be filtered away. 

When you use SPF, your emails will almost certainly reach their recipients instead of bouncing. Over time, this improved deliverability will add up, earning you an excellent reputation with mail servers.

DMARC compliance

Setting up SPF is an important step to compliance with the Domain-based Message Authentication Reporting and Conformance (DMARC) protocol. 

If you have neither SPF nor DKIM properly set up, your messages will probably bounce or be quarantined when sent to someone who uses DMARC.

Role of an SPF record in email authentication

SPF records play an essential role in email authentication since they state which servers can send emails on behalf of your domain.

Before accepting emails, receiving servers check the SPF record. If the sending server isn’t listed, the email can be flagged as spam or rejected.

How does Sender Policy Framework protect against spoofing and spam?

Here’s how SPF protects you from spoofing and spam:

  • Verifies the sending server – SPF checks that emails are coming from servers in the domain’s SPF record. If a server’s not there, the email is likely fraudulent.
  • Prevents domain spoofing – SPF blocks attackers from impersonating your domain by only allowing specific IP addresses to send emails via your domain.
  • Supports spam filtering – Email providers use SPF as a factor in spam filtering, rejecting or marking as spam any emails that fail SPF checks.

How to set up SPF

There are three steps to carry out to properly set up your SPF.

Identify all sending mail servers

To start, you need to know what domain or domains appear in your return path. It might be just one that’s the same as your domain, but not necessarily.

Google and some email service providers (ESPs) use your domain in your return path. 

However, there are ESPs such as Postmark that use their own domain instead of yours. In this case, there’s no need for you to set your own SPF as your provider’s probably using it.

If you discover your own domain name used in the return path, you can proceed to the next step.

Construct the SPF record

Check the ESP’s documentation and verify the correct format for how their address should appear in your SPF record. Copy it into a .txt file.

If you use multiple tools to send email (e.g. Google, Mailchimp, and HubSpot), make sure to add all their IP addresses (or domain names) to your SPF record. 

If and when you need to add more sending addresses, put them in the same SPF record. 

Never create a new SPF record for your domain. This is a common error that causes emails to fail SPF checks. Remember, a domain can have only one SPF record.

Publish the SPF record in your DNS

To publish your SPF record, follow your DNS provider’s specific instructions. In most cases, that means navigating to the DNS settings menu, adding a new .txt record to your domain, and then copying your SPF record into it. 

In some cases, you can upload the .txt file containing the SPF record directly to the DNS records.

With this, your SPF is all set! Now you can engage your audience more effectively and build a robust sender reputation.

Benefits of proper Sender Policy Framework implementation

Within the greater context of email security, these are the benefits of proper SPF implementation:

  • Prevents email spoofing by blocking unauthorized parties from sending emails that appear like they’re from your domain
  • Improves email deliverability by not flagging emails from authorized servers as spam
  • Protects brand reputation by reducing the risk of your domain being attacked by spam and phishing
  • Increases trust among recipients by building credibility with email providers
  • Strengthens overall email security in tandem with DKIM and DMARC
Book more, stress less with AiSDR
Check out how AiSDR will run your sales
GET MY DEMO
helpful
Did you enjoy this blog?
TABLE OF CONTENTS
1. What is the Sender Policy Framework? 2. What does an SPF record look like? 3. Brief explanation of SPF record syntax 4. How does SPF work? 5. Why is SPF important? 6. Role of an SPF record in email authentication 7. How does Sender Policy Framework protect against spoofing and spam? 8. How to set up SPF 9. Benefits of proper Sender Policy Framework implementation
AiSDR | Website Illustrations | LinkedIn icon | 1AiSDR Website Illustrations | LI iconAiSDR | Website Illustrations | X icon | 1AiSDR Website Illustrations | X iconAiSDR | Website Illustrations | Insta icon | 1AiSDR Website Illustrations | IG icon 2AiSDR | Website Illustrations | Facebook icon | 1AiSDR Website Illustrations | FB icon
link
AiSDR Website Illustrations | Best AI Tools for Primary and Secondary Market Research | Preview
Get an AI SDR than you can finally trust. Book more, stress less.
GO LIVE IN 2 HOURS
You might also like:
Using Generative AI to Clean a CSV File
Using Generative AI to Clean a CSV File
Oleg Zaremba
Oleg Zaremba •
Jun 13, 2024 •
2m 52s
Ever cleaned a csv? It's a headache, which is exactly why AiSDR turns it over to AI. Find out how we did it from our CTO
Read blog>
How to Warm Up an Email Account
How to Warm Up an Email Account
Joshua Schiefelbein
Joshua Schiefelbein •
Feb 5, 2024 •
8m 25s
A cold mailbox will stop your outreach faster than you can say "Go!" Check out how you can properly warm up your accounts
Read blog>
How to Set Up a New Email Domain
How to Set Up a New Email Domain
Oleg Zaremba
Oleg Zaremba •
Jul 3, 2024 •
6m 46s
A professional email address is key for making a good impression in sales. For that, you need a custom domain. Here's how to set one up
Read blog>
What are SPF, DKIM, and DMARC?
What are SPF, DKIM, and DMARC?
Oleg Zaremba
Oleg Zaremba •
May 14, 2024 •
2m 35s
Want to stop malicious actors from hijacking your emails? Make sure to set up the trio of email security protocols: SPF, DKIM, & DMARC
Read blog>
See how AiSDR will sell to you.
Share your info and get the first-hand experience
See how AiSDR will sell to you