Email authentication is a major part of maintaining a good sender reputation and keeping your email deliverability high. If your email authentication is improperly configured, ISP spam filters will often flag your emails as spam simply because they cannot verify the legitimacy of your emails, even if you have a good sender reputation.
Email authentication is a collection of protocols that ISPs use to evaluate the legitimacy of emails and reduce spam.
Authentication protocols also prevent email spoofing. Spoofing is the act of sending an email intended to deceive the recipient into thinking that the email came from a sender or domain that it didn’t actually come from. Spoofing is almost always malicious.
Lastly, email authentication verifies that the content of an email hasn’t been altered in transit, to protect recipients from man-in-the-middle attacks.
There’s a record type for each authentication protocol in the email authentication process: Sender Policy Framework (SPF), DomainKeys (DKIM), and DMARC records. We’ll focus on SPF records in this article. Here’s how SPF records fit into the email deliverability process.
What Is an SPF Record?
An SPF record (once known as a Sender ID) is essentially a list of computers which are authorized to send emails from the associated domain. ISPs use SPF checks to detect false sending email addresses.
SPF records enable an internet domain owner to specify which computers are authorized to send emails claiming to be from that domain. The recipient’s mail server can use the SPF record check to identify the fake email address and reject incoming mail from spammers using spoofed domains.
Here’s how it works:
Emails have two “from” email addresses: the “envelope from” address and the “header from” address. The “header from” address is what mail clients show to the person reading the email. The “envelope from” address is usually never seen by the user.
Both can be forged. But, it’s more common to forge the “header from” address, since the recipient can see it.
The SPF record for a domain is published in a Domain Name System (DNS) record. When you send an email, mail servers look up the domain listed in the “envelope from” address, and retrieve the associated SPF record. If your sender IP address isn’t listed in the SPF record on your “envelope from” domain, your email fails the SPF check.
If your domain SPF records aren’t configured—or are incorrectly configured—ISPs may mistake your email address for a forged email address, because there’s no SPF record to verify your sending IP address.
Mail servers often err on the side of caution and reject mail from any domain that fails SPF authentication, even if the domain isn’t a verified malicious sender, and the other authentication protocols are in place.
In short, properly configured SPF records improve your email deliverability by providing recipient mail servers with clear guidelines about who is permitted to send email from your domain name.
How to Create an SPF Record
SPF records are stored in your site’s DNS as a TXT record. So, you can create an SPF record yourself with a standard text editor. But, first, you should find out whether or not you need to create a record.
A quick NSLOOKUP will reveal whether or not your domain has published TXT records. Using an online NSLOOKUP tool is the easiest way to perform a DNS lookup. Here are a couple NSLOOKUP options:
Input your domain name as it appears in the URL bar of your browser, and search for TXT records to find the SPF record for your domain. If your domain has a published SPF record, you’ll get a result like this:
v=spf1 ip4:22.214.171.124/19 -all
This string of characters establishes the SPF version you’re using, the IP addresses allowed to send email on behalf of your domain, and how to handle email received from unauthenticated senders.
If the DNS lookup result doesn’t look like this, you’ll need to create an SPF record and publish it as a new DNS record.
Fortunately, it’s fairly easy to create an SPF TXT record. You can do it in your text editor. A majority of the work is preparation.
1. Identify all the IP addresses you use to send email.
To dodge any SPF authentication failures, you need to know all the IP addresses that send email on behalf of your domain, so you can include them in your SPF record.
Gather the IP addresses for all the email servers attached to your domain:
- In-office mail servers.
- Web server.
- ISP mail server.
- End user mailbox provider’s mail service.
- Third-party mail servers that send email on behalf of your sending domain.
2. Gather a list of all your sending domains.
If you send emails from multiple domains, you need an individual SPF record for each domain you send from. Otherwise, your email deliverability will vary based on which domain you send from.
Also, you should create SPF records for your domains that do not send email. A domain without a published SPF record is susceptible to being spoofed. Spoofers often spoof non-sending domains because it’s easy to spoof a domain if there’s no authoritative list of qualified senders
3. Write your SPF record.
Copy and paste this into your SPF record .txt file:
v=spf1 ip4:[IP ADDRESS] -all
Replace [IP ADDRESS] with the IP address of your sending domain. If you need to add additional IP addresses, use a space after the last digit of the previous IP address, and add “ip4:[IP ADDRESS]” for each additional IP address.
If you need to add a third party domain, add “include:[THIRD PARTY DOMAIN]”.
End your SPF record with “-all”. This indicates to ISPs that any email which comes from your domain without a proper SPF record will receive a hard fail, and be rejected. It’s the most secure way to close your SPF record.
Once you’re finished, your SPF record should look something like this:
v=spf1 ip4:126.96.36.199 ip4:188.8.131.52 include:thirdparty.example.com -all
For a non-sending domain, you won’t include any IP addresses. It will look like this:
That’s it. Save your SPF record. The last step is handled by your DNS server administrator.
4. Publish your SPF record.
Contact your DNS management team to have your SPF record published to your domain’s DNS as a new TXT record. For most hosting providers like GoDaddy or BlueHost, this process is fairly simple. If you aren’t sure who your DNS server administrator is, work with your development team to properly publish your SPF record.
Getting Help From Your Email Service Provider
Your email service provider can also help with creating SPF records and guide you through publishing SPF records. Rejoiner audits the health of client email authentication setups and assists with deploying email authentication protocols and implementing email authentication best practices.
If your domain is missing it’s SPF record, adding SPF authentication will improve your domain security and maximize your email deliverability. Try adding one yourself, or ask your email service provider about improving your email authentication setup.