How to Manage SPF Records for Email Security
Leveraging SPF (Sender Policy Framework) records is essential to enhance email security. Properly configured records help prevent your emails from being delivered to the spam folder and protect your domain against email spoofing. In this article, we will tackle what SPF records are and how to manage SPF records in your DNS settings.
Please click the following topics below to learn more about how to manage SPF records in your account.
SPF (Sender Policy Framework) records, a type of TXT (Text) record within DNS management, are critical in preventing unauthorized individuals from forging the From field in your emails. By setting up an SPF record, a domain owner can define a list of domains and IP addresses that are authorized to send emails on behalf of their domain, effectively safeguarding against email spoofing. This verification ensures that the emails are legitimately from you.
Much like a guest list at an exclusive event, SPF records control access to your email domain's reputation. When an email is sent, the recipient's server acts like a security guard at a private banquet, checking if the sender's domain or IP address is on the SPF guest list. If it's not, the server will either reject the message outright or flag it as suspicious, like turning away an uninvited guest. This mechanism ensures that only approved senders can represent your domain, significantly reducing the risk of spoofing and enhancing your email security.
SPF records have required standards. This is how different mail servers can interpret the contents. However, understanding what you see when looking at the record can be confusing. Below are three (3) examples of different SPF records.
v=spf1 include:spf.cloudus.oxcs.net ~all
v=spf1 ip4: 216.21.224.0/24 include:_spf.google.com include:domain.ext ~all
v=spf1 include:spf.registeredsite.com include:spf.cloudus.oxcs.net -all
Let’s use the table below to break down each aspect of the contents and see what each one means.
Mechanism | Meaning |
---|---|
v=spf1 | The server knows this is an SPF record. All SPF records must start with this. |
ip4: | One IPv4 address or a range of addresses can send messages from your domain name. |
ip6: | One IPv6 address or a range of addresses can send messages from your domain name. |
a:example.com | The mail servers on example.com are authorized to send messages from your domain name. |
mx:mail.example.com | This MX record can send messages from your domain name. |
include:spf.example.com | Third parties (such as your server or online store) are authorized to send email from your domain name. Your email messages may bounce if this isn’t included. |
~all or -all | ~all (recommended) Tells the receiving server to mark the message as suspicious (spam or insecure) and then deliver it. This is called a softfail. -all Tells the receiving server to reject a message from senders that are not included in the SPF record. This is called a hardfail. |
Due to the rise of email threats in recent years, Google and Yahoo implemented email authentication protocols to prevent scams and improve email deliverability. Starting February 1, 2024, they require all senders to comply with new authentication requirements, including having valid SPF or DKIM records.
Best Practices for All Senders and Bulk Senders
Regardless of the volume of emails your organization sends, the following measures will help to improve email security. Here are the guidelines that all users should adhere to:
All Users
- SPF and DKIM Setup – Implement SPF or DKIM for your domain to combat email spoofing and enhance security. See instructions in the What Actions Do I Need to Take? section.
- DNS Records Validation – Ensure that your forward and reverse DNS records are valid by checking your DNS settings and making sure that your hostname and IP address are correctly mapped. You can check your DNS settings using any DNS lookup tool, such as MxToolbox.
Note: If you find that your DNS records are incorrect or missing, you have to contact your domain registrar or hosting provider and may need to update your DNS settings. Please see the How to Manage DNS and Advanced DNS Records article.
- TLS Encryption – Utilize Transport Layer Security (TLS) connections for transmitting emails, enhancing privacy and security. This encryption protocol helps protect your emails' contents from any unwanted interception or tampering. Google Workspace makes TLS activation and configuration easier. We only support TLS version 1.2 since it provides a more secure connection. For more information about TLS version 1.2, please refer to the Ending Support for TLS 1.0 and 1.1 article.
- Spam Minimization – To ensure that your emails are delivered to your subscribers' inboxes and not marked as spam, it is important to keep your reported spam rates low. By building a high-quality email list, such as segmenting your email list, using a consistent "from" name and address, including an unsubscribe link, using a clear subject line, testing your emails, and monitoring your spam complaints, you can improve your email strategy and minimize your spam rates.
- Message Formatting – Follow the Internet Message Format Standard whenever you're composing and formatting email messages. This standard provides a set of guidelines for the basic structure of email messages, including the use of headers, message bodies, and attachments.
- ARC Headers for Forwarded Emails – If you frequently forward emails, consider adding Authenticated Received Chain (ARC) headers to the forwarded messages to maintain SPF and DKIM authentication. Some email providers have already included ARC headers in their email platforms. To determine if your email already has an ARC header, you will need to view the message details and check for the following:
- ARC-Seal: This uses cryptographic signatures to verify if an email message has been tampered with during transit.
- ARC-Message-Signature: This is used to verify the message signature of all email messages in the ARC chain.
- ARC-Authentication-Results: This is used to provide feedback to the sender about the authentication status of an email message. It is an extension of DKIM and SPF, and it allows email servers to report the results of DKIM, SPF, and ARC checks to the sender.
Bulk Senders
If your organization sends more than 5,000 messages per day, you must adhere to the guidelines outlined for All Users and the additional requirements below.
- Set up Email Authentication Protocols – To ensure the security and authenticity of emails sent through Google, it is necessary to adopt all three protocols - SPF, DKIM, and DMARC.
- SPF (Sender Policy Framework) - This protocol works by verifying that the email is coming from an authorized server. When an email is sent, the SPF (TXT) record of the sender's domain will be checked by the receiving server to make sure that the email is coming from an authorized server.
- DKIM (DomainKeys Identified Mail) - This protocol adds a digital signature to the email message. The receiving server then verifies this signaturer to ensure that the email is coming from a legitimate source.
- DMARC (Domain-based Message Authentication, Reporting & Conformance) - This protocol combines SPF and DKIM to enhance security by establishing protocols for handling emails that fail authentication checks.
When adding a DMARC record, it is recommended that DMARC policies be introduced gradually. Start with a setting of None, progress to Quarantine, and eventually to Reject. Monitor DMARC reports at each stage to ensure messages are signed and not spoofed.
- None: No action is needed; it is useful for monitoring.
- Quarantine: Messages should be set aside.
- Reject: Messages should be rejected.
To create a DMARC record, please follow the standard format: v=DMARC1; p=none; rua=mailto:[user email]. Replace the "user email" field with the email address to which you want to receive DMARC reports. The email address must be under the domain you are managing.
- Ensure Users can Unsubscribe – Marketing emails must include an unsubscribe link in all their emails. The unsubscribe link must be prominently displayed and easy to locate in the email. Additionally, the opt-out process should be as simple as possible, requiring only a single click to unsubscribe from future messages. Some email providers have the unsubscribe feature built in, so you don't need to worry about creating the link yourself. However, if you're using a custom email solution, you'll need to create an unsubscribe page and link it manually in your email.
Note: Only send emails to people who have expressed a desire to receive messages from you to minimize the probability of your emails being categorized as spam. Frequent reports of messages from your domain as spam can negatively impact your domain's reputation over time.
What Actions Do I Need to Take?
No matter what email platform you are using to send emails, you must follow the Best Practices for All Senders and Bulk Senders discussed above to successfully deliver emails to Google and Yahoo. However, you still need to determine the email platform you are currently using to learn your DNS Settings.
Please select an email platform:
Business and Hosting Email
- Review and comply with the guidelines outlined in the Best Practices for All Senders and Bulk Senders section.
- Double-check if you have set up an SPF record before. If yes, no actions need to be taken on your account. If not, you will need to log in to your Account Manager and add the SPF record.
- Determine what email platform you are using to get the correct SPF record.
- If you have Cloud Email or Cloud Mail, please refer to the Cloud Mail DNS Settings article.
Note: Cloud Email or Cloud Mail users do not need to set up DKIM in their accounts since this email authentication protocol is already included in the platform. Skip to step 5.
- If your webmail looks different, please click the Webmail version 7.1.2 DNS Settings button in the What Are My Email DNS Settings? article and proceed to steps 4-5.
When setting up the SPF record, please refer to the Text (TXT) Records or Sender Policy Framework (SPF) Records section of the How to Manage DNS and Advanced DNS Records article if your Account Manager looks like the image below.
- If you have Cloud Email or Cloud Mail, please refer to the Cloud Mail DNS Settings article.
- Set up DKIM for your domain if you are using Webmail v.7.10.2. Instructions can be found in the Domain Keys Identified Email (DKIM) section of the How Do I Manage DNS and Advanced DNS Records? article.
- Add a DMARC record by utilizing the TXT DNS record. Please see the Bulk Senders section under Best Practices for All Senders and Bulk Senders for the format of the DMARC record you will be adding. For instructions on how to add the DMARC record, please refer to the Text (TXT) Records or Sender Policy Framework (SPF) Records section of the linked articles in step 4.
Google Workspace
- Review and comply with the guidelines outlined in the Best Practices for All Senders and Bulk Senders section.
- Double-check if you have set up an SPF record before. If yes, no actions need to be taken on your account. If not, proceed to step 3.
- Enter v=spf1 include:_spf.google.com -all using the instructions outlined in the Text (TXT) Records or Sender Policy Framework (SPF) Records section of the How to Manage DNS and Advanced DNS Records article.
- Set up DKIM for your domain. Instructions can be found in the Domain Keys Identified Email (DKIM) section of the How Do I Manage DNS and Advanced DNS Records? article.
- Add a DMARC record by utilizing the TXT DNS record. Please see the Bulk Senders section under Best Practices for All Senders and Bulk Senders for the format of the DMARC record you will be adding. For instructions on how to add the DMARC record, please refer to the Text (TXT) Records or Sender Policy Framework (SPF) Records section of the linked articles in step 3.
Note: If you're having trouble with your DNS, visit Troubleshooting DNS Issues.
- Please remember that only one SPF record is allowed per domain. Having multiple SPF records can disrupt your email functionality.
- SPF record changes may take 24-48 hours to update throughout the internet (propagation).
- If you have a hosting package with a Contact Form, please update your existing SPF record to:
v=spf1 include:spf.registeredsite.com include:spf.cloudus.oxcs.net ~all
Below are the quick step-by-step instructions on how to manage SPF records in your Account Manager.
- Log in to your Network Solutions® account via https://www.networksolutions.com/my-account/login.
- Select Domains on the left side of the page.
- Select the domain name you want to change.
- On the domain page, go down to the Advanced Tools section.
- Click Manage next to Advanced DNS Records.
- A new page will open.
- To Add Records: Click +Add Record. A new window will open.
- To Edit Records: Scroll down to the TXT Record and click the pencil icon. A new window will open.
- Select Refers to from the drop-down menu. You can choose @, www, or Other Host.
- If you select Other Host, you will be asked to enter the Host Name.
- Enter the TXT Value into the field. You will need the entire TXT Value you were given.
- Enter the TTL value. The TTL default is 7200 (2 hours).
- Click the Add button. If you are editing records, click the Edit button.
SPF records are essential for email security. They specify which servers can send email from your domain, which helps prevent spoofing and can improve your email deliverability. To properly manage SPF records, you need to add the correct TXT value based on your email platform. By following this guide, you can take a proactive step to protect your brand reputation and ensure the trust of your recipients.