- Receiving servers check your SPF record to verify that messages that appear to be sent from your domain were sent from servers authorized by you.
- The SPF record also tells receiving servers what to do with messages after they're checked.
SPF record format
An SPF record is a line of plain text that includes a list of tags and values. The tags are called mechanisms . The values are typically IP addresses and domain names.
An SPF record is added to your domain provider in the form of a DNS TXT record. Learn more About TXT records .
SPF records can have up to 255 characters. The TXT record file size should be no larger than 512 bytes.
An IP address is used to identify devices and connect to the internet. IP addresses let devices like computers, mobile devices, and servers communicate with each other. Servers that send and receive email are identified by their unique IP address. The SPF record for your domain might need the IP addresses for servers that send email for your domain.
- IP version 4 (IPv4) addresses look like this: 203.0.113.42
- IP version 6 (IPv6) addresses look like this: 2001:db8:14:5:1:2:bf35:2610
IP addresses are typically assigned to networks in blocks. An IP address with a slash (/) indicates a block of IP addresses:
- IPv4: 192.0.2.0/24
- IPv6: 2001:db8:1234::/48
When you use an IP block address in your SPF record, the SPF record is applied to all IP addresses in the block.
SPF record mechanisms
Use the mechanisms in this table to create your SPF record. Receiving mail servers check messages against mechanisms in the order they are listed in the SPF record.
Keep in mind:
- You can use optional SPF record qualifiers (later on this page) with mechanisms.
- Your TXT record for SPF shouldn’t include more than 10 references to other domains or servers. These references are called lookups . Learn more in Check the DNS lookups in your SPF record .
(Required) This is the SPF version. This tag must be the first tag in the record. This mechanism must be: v=spf1.
Authorizes mail servers by IPv4 address or address range. This value must be an IPv4 address or range in standard format, for example: ip4:192.168.0.1 or ip4:192.0.2.0/24.
Authorizes mail servers by IPv6 address or address range. This value must be an IPv6 address or range in standard format, for example: ip6:3FFE:0000:0000:0001:0200:F8FF:FE75:50DF or ip6:2001:db8:1234::/48.
Authorizes mail servers by domain name, for example: a:example.com
Authorizes one or more mail servers by domain MX record, for example: mx:mail.example.com.
If this mechanism isn't in your SPF record, the default value is the MX records of the domain where the SPF record is used.
Specifies that all messages match. We recommend you always include this mechanism in your SPF record.
This must be the last mechanism in the SPF record. Any mechanism that comes after the allmechanism in an SPF record is ignored.
Should I use ~all or - all ?
-
When an SPF record includes ~all( soft fail qualifier ), receiving servers typically accept messages from senders that aren't in your SPF record, but mark them as suspicious.
- When an SPF record includes -all( fail qualifier ), receiving servers may reject messages from senders that aren't in your SPF record. If your SPF record isn’t set up correctly, the fail qualifier might cause more messages from your domain to be sent to spam.
Tip:To prevent spoofing of domains that don’t send email, use this as the SPF record for the domain: vspf1 ~all.
SPF record qualifiers
A qualifier is an optional prefix you can add to any mechanism in your SPF record. Qualifiers tell the receiving mail server whether to consider a message authenticated when there's a match with a mechanism value, for example:
v=spf1 include:_spf.google.com ~all
Mechanisms are checked in the order they occur in the SPF record. If a mechanism doesn’t have a qualifier and there’s a match, the default action is to pass authentication. When there's no mechanism match, the action default is neutral: the message doesn't pass or fail authentication.
Use these optional qualifiers to tell receiving mail servers how to handle messages that match mechanisms in the SPF record.
| Qualifier | Action receiving server takes with a match |
|---|---|
| + | Passes authentication. The server with matching IP address is authorized to send for your domain. Messages are authenticated. This is the default action when the mechanism doesn’t use a qualifier. |
| - | Fails authentication. The server with matching IP address is not authorized to send for the domain. The SPF record doesn’t include the sending server IP address or domain so messages won’t pass authentication. |
| ~ | Soft fails authentication. It's unlikely that the server with matching IP address is authorized to send for the domain. The receiving server will typically accept the message but mark it as suspicious. |
| ? | Neutral. Neither passes nor fails authentication. The SPF record doesn’t explicitly state that the IP address is authorized to send for the domain. SPF records with neutral results often use ?all. |
SPF record modifiers (advanced)
SPF modifiers are name or value pairs separated by =that appear at the end of an SPF record text string. Modifiers specify additional information, exceptions to rules, and variation from defaults. For example, this SPF record uses the include mechanism to check Google's SPF records and the redirectmodifier to refer to the SPF record for another domain.
v=spf1 include:_spf.google.com redirect=example.com
| Modifier | Description |
|---|---|
| redirect | Redirects to the SPF record of another domain for authentication. Use the redirectmodifier when you want more than one domain to use the same SPF record. Use the redirectmodifier only when you manage all the impacted domains. For domains that you don't manage, use the includemechanism . If your SPF record uses the allmechanism , the redirectmodifier is ignored. |
| exp | Provides a custom reason why a message failed SPF. Available only when the SPF record contains a fail or soft fail qualifier . This modifier activates a DNS lookup to a TXT record that includes the explanation of the fail. Use SPF macros to customize this explanation. |
