Up: DNS

SPF Records

Sender Policy Framework (SPF) records are a way to authenticate emails sent from a domain. Spam and phishing emails often use fake From and Reply-To addresses to hide the actual senders. An SPF record lists mail servers that are allowed to send email from a domain. If an email is sent from a server that is not listed in the SPF record, the receiving email host knows the message is spam.

An SPF record is added to Custom DNS as a TXT. You want to make sure that any mail servers you use are included in the record. A server missing from the records may cause undelivered mail.

How to Add an SPF Record

Contact your email provider(s) to get their recommended records. If you use multiple providers, all of them need to be combined into a single record.

When you have the information, you can add the record to Custom DNS as a TXT record:

  1. Log into to the Domain Name Management System
  2. Click the domain to update
  3. Click Domain Address Settings
  4. If Custom DNS is already on for your domain, you can skip this step.
    If you are turning on Custom DNS, read the earning, agree to the Terms of Service, and click Enable
  5. Click Add New Record
  6. Select TXT from the Add New Record menu
  7. Enter @ as the Host Name, or leave the field blank
  8. Enter the SPF record from the into the Text box
  9. Click Add Record

SPF Records with Pair Networks

If you use Pair Networks for email, you can create a default SPF record that will include any Pair Networks server that might send email for a domain. You can follow these steps to generate the SPF record:

  1. Log into the Account Control Center
  2. Click Domains
  3. Click Manage Your Domain Names
  4. Click the domain to update
  5. Click Change SPF Settings
  6. If you use Pair Networks name servers, you can click Activate SPF to activate the record. Then you can skip the rest of these steps
    If you use Pair Domains name servers, copy the displayed SPF record
  7. In a new browser tab, log into to the Domain Name Management System
  8. Click the domain to update
  9. Click Domain Address Settings
  10. If Custom DNS is already on for your domain, you can skip this step.
    If you are turning on Custom DNS, read the earning, agree to the Terms of Service, and click Enable
  11. Click Add New Record
  12. Select TXT from the Add New Record menu
  13. Enter @ as the Host Name, or leave the field blank
  14. Paste the SPF record from the Account Control Center into the Text box
  15. Click Add Record

Please Note: If you use additional email services like mailing lists, you should contact your service provider to find out what additional information might need to be added to the SPF record.

Additional Information About SPF Records

The host name for SPF records is usually @. That means the record is for the domain itself. It affects email from mailbox@example.com. If you want the record to affect email from mailbox@subdomain.example.com, you can enter subdomain as the host name.

The Text field always starts with v=spf1 which means the record uses the first version of SPF. That is followed by a list of servers authorized to send email. The servers may be listed as IP addresses and/or host names. These are the primary ways you can list the mail servers:

MechanismMeaning
athe A record for the domain itself
a:host_namethe A record for host_name
include:host_nameinclude the TXT record for host_name
ip4:ipv4_addressthe specified IPv4 address or addresses
ip6:ipv6_addressthe specified IPv6 address or addresses
mxthe mx record for the domain itself
mx:host_namethe mx record for host_name

There are additional mechanisms, but you are unlikely to use them unless your mail host requests them.

The record ends with a qualifier and the word all. This tells mail servers what to do with messages that come from unauthorized servers.

Using ~all is a soft failure. This means messages that fail SPF checks will be flagged as likely spam but the messages are still delivered.

Using -all is a hard failure. This means message that fail SPF checks will not be delivered.

SPF Lookup Limits

Mail Servers are limited to 10 DNS lookups that can be performed when checking SPF records. It is unlikely that you will encounter this limit, but it is possible.

When checking the SPF record, the IP4 and IP6 mechanisms do not require lookups because they contain the actual IP addresses. Each A, MX, and INCLUDE mechanism will require at least one lookup. Each A requires one to find the IP address of the domain or host name. Each MX requires at least two. The first is to find the mail server(s) listed in the MX record. Then each mail server in the MX record has to be checked to find the corresponding IP address(es). If a domain has multiple MX records, each record needs to be checked and counts as an additional DNS lookup.

BACK Last updated: 6/27/23