Email Security - Part 2: SPF

If you’ve ever had emails land in spam folders—or worse, discovered someone was spoofing your email domain—then it’s time to get familiar with SPF (Sender Policy Framework).

SPF is an essential layer of email authentication that helps prevent spammers and attackers from sending forged emails using your domain. It works behind the scenes to make sure the emails claiming to be from you actually are from you. It’s one of the key tools—alongside DMARC and DKIM—that helps protect your domain from spoofing, phishing, and fraud.

In a Nutshell

SPF is a security tool (a text record installed on your domain) that helps prevent scammers from sending fake emails that appear to come from your domain. It tells receiving mail servers which sources are allowed to send email on your behalf, helping protect your brand and improve email deliverability.

How SPF Works

Every time your domain sends an email, the receiving mail server checks your SPF record, a simple DNS entry that lists which servers are allowed to send on behalf of your domain.

If the server sending the email is listed in your SPF record, it passes. If not, it can be flagged or rejected, depending on how strict the receiving server is.

Think of SPF like a guest list at a party—only pre-approved senders get in.

What an SPF Record Looks Like

An SPF record is added to your DNS as a TXT entry. Here’s a typical example:

plaintext

CopyEdit

v=spf1 include:_spf.google.com include:mailgun.org ip4:192.0.2.0/24 -all


Breakdown:

• v=spf1 – Identifies the TXT record as an SPF record.
• include:_spf.google.com – Allows Google Workspace servers to send mail for your domain.
• include:mailgun.org – Allows Mailgun to send on your behalf.
• ip4:192.0.2.0/24 – Authorizes a specific IP range to send mail.
• -all – States that any sender not listed should be rejected.

SPF Mechanisms and Qualifiers Explained

Mechanisms:

• ip4 / ip6: Authorize a specific IP or range.
• include: Delegate permission to another domain’s SPF policy.
• a / mx: Authorize the A or MX records of your domain.
• exists: Uses a DNS lookup to verify a condition.
• all: A catch-all match (usually at the end of the record).

Qualifiers:

• + (pass): Default; means allow.
• - (fail): Hard fail. Disallow and possibly reject.
• ~ (soft fail): Not authorized, but don’t reject outright.
• ? (neutral): No policy applied.

Example:

plaintext

CopyEdit

v=spf1 ip4:203.0.113.5 include:_spf.google.com ~all


This means: Allow 203.0.113.5 and Google’s servers; soft fail everyone else.

Why SPF Matters

SPF protects your domain’s reputation and your customers’ inboxes. Here's what it helps prevent:

• Email Spoofing – Attackers impersonating your domain.
• Phishing Attacks – Fraudulent emails pretending to be from you.
• Spam Complaints – Messages sent from unauthorized servers that land in spam.

Combined with DKIM and DMARC, SPF is a foundational part of a secure email setup.

How to Set Up SPF

1. List your sending sources – Email providers like Google Workspace, Microsoft 365, Mailchimp, or your web server.
2. Craft your SPF record – Using tools like MXToolbox or SPFWizard.
3. Add a DNS TXT record – At your domain’s DNS host under your root domain.
4. Test it – Use SPF validation tools to check for errors.

Best Practices for SPF

• Keep your SPF record under 10 DNS lookups to avoid exceeding the limit.
• Use include: statements for trusted providers instead of IPs when possible.
• Avoid using +all – it opens your domain to abuse.
• Monitor and update your SPF record regularly when adding/removing mail services.

Final Thoughts

SPF is a simple yet powerful tool to help secure your domain from being misused. By authorizing only specific senders and rejecting all others, you’re taking a proactive step toward stronger email authentication—and better deliverability.

Want help implementing SPF, DKIM, and DMARC the right way? Reach out to Gaslamp Village Media, and we’ll make sure your email domain is locked down tight.

‍