How To Create And Add An SPF Record?
SPF record is one of the most vital steps to protect your website against email spoofing. Emails can be spoofed on many levels and you need to have something to stop that. The Sender Policy Framework (SPF) record is a TXT type file with vital information that lets the receiving mail servers know what domain name is allowed to send emails from that specific domain.
What is an SPF Record?
An SPF record or SPF TXT record is a record that is part of your domain’s DNS — similar to a DMARC record. It contains a list of all the IP addresses that are permitted to send an email on behalf of your domain.
When a sender tries to hand-off an email to an email “receiving” server for delivery, the email server checks to see if the sender is on your domain’s list of allowed senders. If it is, then a link has been established between the piece of email and the email domain.
With an SPF record in place, you protect your email domain against spoofing and phishing attacks by letting the world know which servers are authorized to send an authenticated email on your behalf.
Create an SPF record for your domain
Step 1 – Preparation
Collect all mail servers and IP addresses that will be specified as authorized in the SPF record
Step 2 – DNS control panel
Access the DNS control panel of your ISP and find the section of the TXT type record.
Step 3 – SPF record
Start with the version tag: v=spf1. Next versions will be v=spf2, v=spf3, etc.
Insert all the IP addresses you’ve collected to specify as authorized:
ip4:35.167.41.421 ip6:2a13:c025:e4:7a01:bc72:dcb5:7a13
Add the include tag for each third-party email service to designate it as a trustworthy sender:
include:example.net or include:example.com
Leverage other mechanisms, qualifiers, or modifiers to set up the SPF record.
The ‘all’ tag is usually used to finalize the record.
-all – all unspecified servers are not authorized (emails will be rejected).
~all – all unspecified servers are not authorized, but emails will be marked and accepted.
+all – any server is authorized (quite undesirable option).
This is how the most common SPF record looks like:
"v=spf1 a mx -all"
Here, all A and MX records in this domain are authorized to send emails. Emails from anything beyond will be rejected.
How to Optimize SPF Records?
SPF Record Limits
The SPF standard methods require that any SPF record must comply with the 10-lookup limit. SPF record limits state that any SPF record that causes more than 10 DNS queries is not valid, and any attempt to authenticate SPF for an email from that specific domain will lead to an error.
The “include”, “a”, “mx”, “ptr”, and “exists” mechanisms, and the redirect modifier do count against this SPF record limit. The “all”, “ip4”, and “ip6” mechanisms do not require DNS lookups and therefore, do not count against the SPF 10-lookup limit.
Bypassing SPF Record Limits
Re-think using the “mx” mechanism. It makes an SPF record look simpler, but it always triggers a DNS lookup that counts against the SPF 10-lookup limit.
Instead of “mx”, consider the “ip4” and “ip6” mechanisms to list the IP addresses your host and MX record send emails from. Though your SPF record will look longer, it will be smaller from the perspective of DNS queries, as a single “mx” mechanism costs more than 20 “ip4” mechanisms.
Split Your SPF Record
An SPF record can contain one or more strings of text and each string can contain no more than 255 characters. An SPF checker will take all of the strings in a TXT record and bind them together before it starts looking at the content. So you can have more than 255 characters in the SPF record by splitting it into more than one string.
Conclusion
Setting up an SPF record is simple, and an SPF record is easy to use. This guide will help you set up an SPF record in no time, and when you do, you'll be ready to start sending out emails and putting your system to good use.
Sources:
https://dmarcian.com/create-spf-record/
https://mailtrap.io/blog/spf-records-explained/
https://glockapps.com/blog/optimize-spf-record/