What is SPF? Tutorial on Setting Up Enterprise Email SPF

SPF is the abbreviation of (Sender Policy Framework), which translates as “Sender Policy Framework”. SPF is to prevent someone from spoofing an email address. Usually, some spam, phishing, and fraudulent emails will pass fake emails. Send it through a regular business mailbox to make the recipient look more credible. Common spam content includes money-making messages, adult ads, commercial or personal website ads, e-magazines, chain letters, and more.

What is SPF?

Use Sender Policy Framework (SPF) to prevent phishing of your domain and prevent your outgoing messages from being marked as spam. SPF specifies the mail servers that are allowed to send mail for your domain. Incoming mail servers use SPF to verify that incoming mail that appears to be coming from your domain is from a server you authorize.

Without SPF, incoming mail servers are more likely to mark messages sent from your organization or domain as spam.

In addition to SPF, it is also recommended to set DKIM and DMARC.

How SPF protects against phishing and spam

Spammers may forge your domain name or organization information to send fake emails that appear to be from your organization. Such messages are called phishing messages. Phishing can be used for malicious purposes, such as spreading false information, sending unwanted software, or tricking users into providing sensitive information. SPF allows incoming mail servers to verify that mail that appears to be from your domain is actually being sent from your domain, and not forged or phished.

SPF helps prevent mail from your domain from being delivered to the Spam folder. If your domain doesn’t use SPF, the incoming mail server can’t verify that mail that appears to be coming from your domain is actually being sent by you.

Without SPF, the mail receiving server may send valid emails to the recipient’s “spam” folder, or may reject valid emails (depending on the recipient’s different mailbox system policies).

How to properly set SPF?

First determine which channels we need to send emails through:

  1. Need to send mail through the mail server itself, assuming the mail server IP is (required)
  2. It is possible to send emails through the website server, assuming the website server IP is: (optional)
  3. It is also possible to send emails through a relay server, assuming the relay server IP is: 333.333.333.333 (optional)
  4. The email domain name is testmail.com as an example

Domain name TXT record resolution settings

Setting the SPF of the mail server itself is very simple. Add a record of type TXT to the domain name resolution:

v=spf1 a mx ~all

If you add a website server and a relay server, you can refer to the following records for setting TXT:

v=spf1 a mx ip4: ip4:333.333.333.333 ~all

If you are using Tencent Enterprise Email, set the value of the TXT record to:

v=spf1 ip4: include:spf.mail.qq.com ~all

Detailed SPF instruction

markDescription and allowed values
vSPF version. This token is required and must be the first token in the record. This tag must be:v=spf1
ip4Authorize mail servers as IPv4 addresses or address ranges. The value must be a well-formed IPv4 address or address range, for example: ip4:
ip6Authorize mail servers as IPv6 addresses or address ranges. The value must be a well-formed IPv6 address or address range, for example: ip6:3FFE:0000:0000:0001:0200:F8FF:FE75:50DForip6:2001:db8:1234::/48
aAuthorize the mail server in the form of a domain name, for example:a:testmail.com
mxAuthorize one or more mail servers in the form of domain MX records, eg: mx:mail.testmail.comif the mechanism does not exist in your SPF record, the default is the MX record for the domain using the SPF record.
includeAuthorize third-party email senders by domain, such as:include:servers.mail.net
allSpecifies that all incoming messages match this mechanism. We recommend that you always include this mechanism in your SPF record. The mechanism must be the last mechanism in the SPF record. all Any mechanism listed after the mechanism in the SPF record  will be ignored. Should I use ~all or -all? If the SPF record contains  ~all( soft reject ), the receiving mail server will normally accept messages from senders not included in the SPF record, but will mark them as suspicious. If the SPF record contains  -all( fail qualifier ), the receiving mail server may reject mail from senders not included in the SPF record. If your SPF records aren’t set up correctly, failing qualifiers may result in more mail from your domain being classified as spam. Tip : To prevent phishing of a domain name that you don’t use to send mail, use the following code as the domain’s SPF record:vspf1 ~all

SPF record format

  • SPF records are in plain text line format and contain a list of tags and values. These marks are called “mechanisms”. These values ​​are usually IP addresses and domain names.
  • SPF records are added to the domain name provider in the form of DNS TXT records.
  • SPF records can contain up to 255 characters. The TXT record file size should not exceed 512 bytes.

Leave a Comment