A properly configured SPF record improves email security and reduces the risk of phishing and spoofing.
| TAG | TAG Description |
|---|---|
| v (required) | The version tag. The only allowed value is “spf1”. If it’s incorrect or the tag is missing, the SPF record will be ignored. |
| ip4 | This tag should include all the IPv4 addresses that are allowed to send emails on behalf of the domain. |
| ip6 | This tag should include all the IPv6 addresses that are allowed to send emails on behalf of the domain. |
| a | The A record tag allows the SPF to validate the sender by domain name’s IP address. If left unspecified, it takes the value of the current domain. |
| mx | The MX record tag checks the MX record of the mail server(s). If left unspecified, it takes the value of the current domain. |
| ptr (Not recommended) | The PTR record tag checks the PTR record of the mail server(s). If left unspecified, it takes the value of the current domain. |
| exists | The exists tag checks if an A record exists or not on the mentioned domain. |
| include | The include tag is of top importance for a correct SPF record. Listing all your sending sources under this tag lets the recipient know that you verify all the added domains/subdomains as legitimate sources. |
| all (required) | All is a required tag. It should be placed at the end of the SPF record. Depending on the qualifiers used (~, +, -, ?), this mechanism indicates how the recipient should treat emails from non-authorized sources. |
Here are some examples of common SPF records:
1. A basic SPF record that allows the domain’s MX (mail exchange) servers to send email:
v=spf1 mx ~all
This record indicates that any server listed in the domain’s MX records is authorized to send email on behalf of the domain.The tilde (~) indicates that the domain’s owner requests that messages that fail SPF checks be marked as a soft fail.
2.An SPF record that allows a specific IP address to send email:
v=spf1 ip4:192.0.2.0/24 ~all
This record allows any server with an IP address in the range 192.0.2.0 to 192.0.2.255 to send email on behalf of the domain. The CIDR notation (/24) indicates the range of IP addresses that are allowed. The tilde (~) again indicates a soft fail.
3. An SPF record that allows multiple sources to send email:
4. v=spf1 a:example.com include:_spf.google.com ~all
This record allows any server listed in the domain’s A record (example.com) and any server authorized by the SPF record for _spf.google.com to send email on behalf of the domain. The include mechanism allows the domain owner to reference another domain’s SPF record. The tilde (~) again indicates a soft fail.
5. An SPF record that specifies a hard fail:
6. v=spf1 a:example.com -all
This record allows any server listed in the domain’s A record (example.com) to send email on behalf of the domain. The minus (-) before the all mechanism indicates that any server that fails SPF checks should be treated as a hard fail, which means that the message should be rejected.
You should use the SPF for 4 main reasons.
1. To improve your domain security. SPF helps to prevent spoofing (email fraud and spoofing). By defining which sending sources (IP addresses, servies, domains) are authorized to send email on behalf of a domain, an organization can prevent cybercriminals from sending phishing emails (fraudulent or spoofed email) from the organization’s domain.
2. To improve Email Deliverability. By using SPF, an organization can improve its email deliverability. by ensuring that its legitimate email messages are not marked as spam or rejected by recipient email servers.
3. To protect domain reputation. When a domain is used to send spam or fraudulent email messages, its reputation can be damaged. This can result in legitimate email messages being marked as spam or rejected by email servers. SPF helps to ensure that its legitimate email messages are not affected by the actions of malicious actors.
4. Compliance: In some cases, organizations are required to use SPF in order to comply with regulations or industry standards. For example, the Payment Card Industry Data Security Standard (PCI DSS), GDPR, SOC2 requires that organizations use SPF to protect against email fraud and spoofing. SPF checker can help easily find the issues.
The SPF record has 10 DNS lookup limit. The SPF 10 DNS lookup problem occurs when a receiving email server checks the Sender Policy Framework (SPF) record of an incoming email and finds that the record contains more than 10 DNS lookups. You may receive too many dns lookups message in this case. The DNS lookups are used to determine if the email has originated from an authorized mail server or not.
The SPF specification limits the number of DNS lookups to 10, so if an SPF record has more than 10 DNS lookups, it may cause delivery issues. If the receiving email server reaches the limit of 10 DNS lookups, it may stop processing the SPF record and consider the email as unauthorized or mark it as spam.
To fix the SPF 10 DNS lookup problem, you need to reduce the number of DNS lookups in your SPF record. Here are a few tips to help you do that:
1. Use the “include” mechanism: The “include” mechanism allows you to reference another domain’s SPF record, rather than listing its individual IP addresses or hostnames in your own SPF record. This reduces the number of DNS lookups needed, as it counts as a single DNS lookup.
2. Use the “redirect” mechanism: The “redirect” mechanism allows you to point to another domain’s SPF record, instead of listing your own SPF record. This reduces the number of DNS lookups needed, as it counts as a single DNS lookup.
3. Use SPF Macros: SPF Macros are placeholders that can be used in SPF records to represent multiple IP addresses or domains in a single mechanism, which reduces the number of DNS lookups needed.
4. Use an SPF Flattening Service: SPF Flattening services like can help reduce the number of DNS lookups by consolidating all of the SPF mechanisms and includes into a single SPF record.
By reducing the number of DNS lookups in your SPF record, you can avoid the SPF 10 DNS lookup problem and improve email deliverability.
PermError (short for “Permanent Error”) is a term used in the context of email authentication to describe an error that occurs when a sender’s domain attempts to use the Sender Policy Framework (SPF) mechanism to verify that an email message came from an authorized source, but the SPF record for the domain cannot be evaluated correctly. A PermError occurs when the SPF record for the sender’s domain is syntactically incorrect, does not exist, or cannot be retrieved from the DNS server due to an error. This means that the recipient’s mail server is unable to determine if the email is legitimate, and may reject it or mark it as spam as a result. This SPF lookup tool helps you to identify permerror and give suggestions how to solve it.
SPF lookups are DNS queries performed by a mail server to determine if an email message is authorized to be sent from a particular domain. Each SPF record can contain multiple mechanisms and modifiers, and each of these can potentially require a separate DNS lookup, which can add up and exceed the maximum limit set by the recipient’s mail server. The maximum limit for SPF lookups is usually defined by the recipient’s mail server and can vary depending on the server’s configuration. Some mail servers may have a limit of 10 or 15 lookups, while others may allow more. To check the SPF lookup limit for a specific mail server, you can perform an SPF lookup for a domain that includes a large number of SPF mechanisms and modifiers, such as:
dig +short TXT example.com
Copy
This command will retrieve the SPF record for the domain “example.com” and display its contents. If the record contains many mechanisms and modifiers, the resulting DNS response may exceed the lookup limit set by the recipient’s mail server, and some of the mechanisms may not be evaluated.To check if a specific email message has exceeded the SPF lookup limit for a recipient’s mail server, you can analyze the message headers and look for any errors or warnings related to SPF evaluation. Some email clients and tools may also provide more detailed information about the SPF evaluation process and any lookup limits that were encountered.
Testing and troubleshooting your SPF record can help ensure that it is working correctly and that your authorized sending IP addresses are being recognized. Here are some tips for testing and troubleshooting your SPF record:
Use an SPF checker: This tool and the other free spf check lookup tools can help you test your SPF record. These tools will analyze your SPF record and let you know if there are any issues that need to be addressed. Monitor email deliverability: If you notice that some email messages are being marked as suspicious or rejected by email servers, this may be an indication that there is a problem with your SPF record. Monitor your email deliverability and investigate any issues that arise.
Check DNS settings: Ensure that the SPF record is correctly published in your domain’s DNS settings. Use a DNS lookup tool to verify that the SPF record is correctly configured and accessible. Review the policy statement: Double-check the policy statement in your SPF record to ensure that it lists all of the authorized sending IP addresses and uses the correct syntax.
Check for conflicts with other email authentication protocols: Ensure that there are no conflicts between your SPF record and other email authentication protocols, such as DKIM and DMARC. These protocols work together to provide additional layers of email authentication and security. You can use any DKIM check tool or DMARC check tool to validate your other records. Test with different email clients and services: Test your SPF record with different email clients and services to ensure that it is working correctly across all platforms. This can help identify any issues that may be specific to certain email clients or services. Consult with a DNS or email expert: If you are having difficulty testing or troubleshooting your SPF record, consider consulting with a DNS or email expert who can help you identify and resolve any issues.
Want to learn more about email security? Check out our latest articles.
