What is an SPF record?

Last updated on 13 Mar 2024, 19:41:43.
Category: Email | All about domain names

DNS E-mail spam

What is an SPF record?

SPF stands for "Sender Policy Framework." It is a special TXT record that is placed in the domain name zone and contains all the servers that are "allowed" to send mail for that domain name. TXT records can be used to include important information in a domain name zone, one of them is the SPF value, others are the DMARC values, verification strings (for SSL certificates, onboarding of M365) and so on.

SPF is a form of email authentication.
Consider how it works as follows: if a mail is sent via your domain name to, say, a gmail.com address, the receiving mail server will check via the SPF record whether the server that sent the mail (!) was allowed to send it.
If the server is in the list of "servers" in the SPF record, the mail will be allowed, if the server is not in this list, the mail will be refused by gmail.com or flagged as a SPAM message.

SPF records only work on the original sending address. Thus, they do not help against e-mail spoofing where the original from address will still be in the mail headers but the from: address in the e-mail client displays a different address.
A DMARC (Domain-based Message Authentication, Reporting and Conformance) record addresses this problem.

You can read more about a DMARC record in the following article.

What does a DNS SPF record look like?

A simple DNS record can look like this:

nslookup -type=TXT domainname.be

This can return the following value:

domainname.be. IN TXT "v=spf1 a mx ip4: include:spf.provider.be -all"

The various components of an SPF record are as follows:

v: the version of the SPF protocol, spf1 in this case.

a: this specifies that the server set as origin may send mail for the domain name, this can be extended to a:<hostname> where the server with hostname may send mail for this domain.

mx: this specifies that the servers handling incoming mail may also send mail for the domain name.

ip4: for example, this is an IPv4 address of a server that is allowed to send mail for the domain name. There is also an ip6 variant, this is for IPv6 addresses.

include: this indicates to the SPF record that another record is included in the SPF record, in our example this means that spf.provider.be itself contains an SPF record with servers that are allowed to send mail for this domain.

all: the "all" value should always be at the end of the SPF record and gives the default value of how the record should "match" if none of the previous values match.

-all means that messages coming from a server that is not in the previous list of the SPF record will always be marked as an incorrect sender (spam).

+all means that any server can send for this domain name, so this is strongly discouraged!

~all is a so-called "softfail" and will tell the controlling mail server that the server that sent the mail may not have authorization to send the message. The message can possibly be labeled as spam.

?all is a neutral setting of the SPF record, it does not convey whether the server is authorized to send mail or not.

Those who want to learn about SPF, the full SPF specification can be found at https://datatracker.ietf.org/d....

Messages sent via Kinamo

If mail is sent via a Kinamo mail server (mail, webmail), the SPF record must contain at least the following values:

@ IN TXT "v=spf1 include:spf.kinamo.be ~all"

By adding include:spf.kinamo.be, you indicate to receiving mail servers that Kinamo's mail server infrastructure is authorized to send mail for your domain name.

Need help configuring your SPF DNS record?

Setting up an SPF record can be both simple and complex. Especially if you use multiple servers, mailing systems and cloud services, an SPF record can quickly become a cluttered list of servers that don't belong there.

If you're unsure about the proper configuration of your SPF record, ask one of the Kinamo specialists for help.

Related articles

Mails sent to gmail.com do not arrive at the recipient

Messages sent to a gmail.com address do not arrive at the recipient. The sender gets an error message back saying...

Read more

I get a notification that my mailbox is over its capacity, what should I do?

The Kinamo mail server automatically sends out a notification when your e-mail address is at 95% of its capacity. In...

Read more

Kinamo mail server settings (mail server cheat sheet)

The following article provides the basic settings and server names (domain names) for the Kinamo mail infrastructure. These settings allow...

Read more

Need extra help?

Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!

Select your language

All languages: