🚨 Use our FREE data vulnerability scanner. Identify and fix DNS issues. Start Your Scan

illustration of glass cubes on a black background

5 Simple Steps to Create an SPF Record for Your Email Domain

May 17, 2023

If you want to protect your email domain from spam, phishing, and other cyber threats, it’s essential to create an SPF (Sender Policy Framework) record. This record is a public list of authorized email servers that can send emails from your domain.

Here are five simple steps to build your SPF record:

Step 1: Gather IP addresses used to send email

Identify the email servers that are authorized to send emails for your domain. These may include your email service provider or any other third-party services that you use to send emails.

Create a comprehensive list of all your mail servers and their corresponding IP addresses. Make sure to consider all potential sources that may be used to send emails on behalf of your brand, including but not limited to:

  • Your email service provider’s (ESP) mail server
  • Your in-office mail server (e.g., Microsoft Exchange)
  • The mail server of your end-users’ mailbox provider
  • Any third-party mail server used to send emails on behalf of your brand
  • Your web server

In case you are unsure of what your IP addresses are, reach out to your ESP to obtain a list of the associated addresses linked with your account, or consult with your IT System Administrator to create a comprehensive list of the IP addresses utilized by your business.

STEP 2: List all of your sending domains 

It’s highly likely that your company possesses several domains, some of which are utilised for sending emails, while others are not.

It’s crucial to create SPF records for all the domains that your company controls, including those that are not used for mailing. Why is this necessary? Well, after securing your sending domains using SPF, cybercriminals may try to impersonate your non-sending domains as a next move.

Step 3: Create a SPF record 

SPF performs sender authentication by comparing the IP address of the sending mail server to the list of authorized sending IP addresses that the sender has published in the DNS record.

Here’s a step-by-step guide to help you create your own SPF record:

Begin with the v=spf1 (version 1) tag, followed by the authorised IP addresses that are allowed to send emails. For instance, v=spf1 ip4:1.2.2.3 ip4:2.2.4.1

If you use a third-party email service provider to send emails on behalf of the domain in question, you must add an “include” statement in your SPF record. For instance, include:other-site.com should be added to designate the third party as a legitimate sender.

Once you have added all the authorized IP addresses and included statements, end your record with an ~all or -all tag.

The ~all tag represents a soft SPF fail, whereas the -all tag represents a hard SPF fail. Both tags will result in SPF failure in the eyes of major mailbox providers. However, Validity recommends using the -all tag since it is the most secure option.

Keep in mind that SPF records cannot exceed 255 characters in length, and you cannot include more than ten “lookups” or include statements. Below is an example of what your SPF record might look like:

v=spf1 ip4:1.2.2.1 ip4:2.3.2.3 include:other-site.com -all

For domains that do not send emails, the SPF record will exclude any modifier, except for the -all tag. Here’s an example of an SPF record for a non-sending domain:

v=spf1 -all

Congratulations! You have now created your own SPF record. The next step is to publish it.

Step 4: Publish your SPF to your DNS 

To ensure mailbox providers can reference your SPF record, collaborate with your DNS server administrator to publish it to DNS. If you’re using a hosting provider such as 123-reg or GoDaddy, this process should be straightforward. However, if your ISP manages your DNS records or if you’re unsure about the process, seek support from your IT department. Additionally, email service providers usually publish SPF records for sending domains on your behalf.

Step 5: Test your SPF

Go back to our DNS checker tool to make sure you have added your SPF correctly. 

 

Now make sure your Google Workspace and Microsoft 365 data is backed up.

Google and Microsoft do not back up your data by default. This leaves your business at serious risk of collapse. Contact BackupVault today for a Free Trial of our cloud backup solutions.