A SPF (Sender Policy Framework) is a DNS TXT record that is used to specify which mail servers are authorized to send email on behalf of a specific domain. SPF records combat email spoofing and phishing attacks by allowing domain owners to declare which servers are legitimate email sources for their domain.
If you are using your hosting platform to send emails either by the website or if you use the platform to host your email accounts (or both), you must ensure you have a correct SPF record set up in your DNS zones. If you do not have it set up correctly, your emails generated from the platform will be undelivered, and you may get a bounce-back error message saying the message was undelivered.
What does a SPF TXT record look like:
v=spf1 ip4:103.13.xxx.xxx +a +mx ~all
Let’s Break the above down further:
- ip4:103.13.xxx.xxx is the IP address that the site is hosted on.
- +a – Every ‘A record’ that is set in the DNS zone file. You may have multiple A records pointing to different IP addresses. These IP addresses would also be authorised to send the message out.
- +mx – Every mail exchanger listed in the zone file is also authorised to send email on behalf of the domain.
- ~all – This will tell the receiving server how to handle the message. On some domains, the SPF record will have the following:
- -all – Hard failure. This means the receiving server must comply with these rules. Therefore, the server must reject the email if the message comes from a server not listed in the record.
- ~all – Soft Failure. When a receiving email server encounters a soft fail in an SPF record, it doesn’t immediately reject the email if the sender’s IP address doesn’t match any of the authorized sources listed in the SPF record. Instead, the receiving server may apply additional checks or deliver the email to the recipient’s spam folder or quarantine.
- ?all – it signifies a neutral result. SPF is considered an advisory, and the email server doesn’t make a strong decision based solely on SPF. Other authentication mechanisms may play a more decisive role in email delivery.
In the example above, the messages can be sent from the IP 103.13.xxx.xxx, the MX (Mail Exchange) server/s, and all listed ‘A’ records in the domain zone file. The receiving server will perform additional checks due to the ~all at the end of the TXT record and decide how to treat the message.
If a client is using Office 365 as their mail provider, the SPF record may be set to:
v=spf1 include:spf.protection.outlook.com +a +mx +ip4:103.13.xxx.xxx ~all
In the above example, all Office 365 servers can send the email and IP 103.13.xxx.xxx, the MX (Mail Exchange) server/s, and all listed ‘A’ records in the domain zone file. The receiving server will perform additional checks due to the ~all at the end of the TXT record.
If a client is using Office 365 as their mail provider, the SPF record may be set to:
v=spf1 include:spf.protection.outlook.com -all
In the above example, all Office 365 servers can send the email but no other server is allowed to send an email even if the domain name has a website. The ‘-all’ is strict or a hard fail.
To find the IP Address that your website is hosted on, you can find this by logging onto cPanel and looking on the right hand side of the screen. To check if your domain has got a spf record, go to https://mxtoolbox.com/ and type SPF:<your domain name> i.e spf:perthwebhosting.net.au
