---
title: "The DOs And DON’Ts Of Using SPF Records | DuoCircle"
description: "Join the thousands of organizations that use DuoCircle Find out how affordable it is for your organization today and be pleasantly surprised.Interested in"
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/content/sender-policy-framework/spf-record/"
---

Content 

#  The DOs And DON’Ts Of Using SPF Records 

 Join the thousands of organizations that use DuoCircle Find out how affordable it is for your organization today and be pleasantly surprised.Interested in 

[ Talk to an Expert → ](/contact/) [ See what we make ](/products/) 

## The DOs And DON’Ts Of Using SPF Records

[Fix Your SPF Errors Now](/email/spf-record-check)

[Sender Policy Framework](/content/sender-policy-framework) is one of the widely used email authenticating techniques. It is like declaring, “Yes, I am the owner of this domain. I allow my customer.io to send emails in my name.” As the recipient’s mailbox provider sees this signature in the sender’s emails, it authenticates the incoming messages because these are not **phishing emails**.

As more domains start implementing SPF records, it derives more value from the framework for **anti-spam filters** and mailbox providers. Creating and managing SPF records can indeed be cumbersome, and if you have a poorly configured SPF record with an incorrect [SPF record syntax](/content/sender-policy-framework/spf-record-syntax), it can give rise to deliverability issues; therefore, it is crucial to _understand how to create an SPF record_ in detail.

![spf record check](https://media.mailhop.org/duocircle/images/2020/11/spf-record-lookup.png) 

### DOs and DON’Ts When Creating SPF Records

Here are some problems caused by an incorrect SPF record and how one can overcome them

#### Overly Permissive SPF Records – Being over-generous can backfire

One of the best features of Sender Policy Framework records is the ability to include a [range of IP](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing/create-and-iterate-an-spf-record) addresses in the CIDR notation instead of specifying them individually. One typo error can dramatically change the situation. Here is an [SPF record example](/content/sender-policy-framework/spf-record-example).

`Correct Format with 0 at the end IP Range`  
`142.0.176.0/20 4,096`

As you can see, this range includes 4,096 IP addresses that the business can use for email delivery. Like the exclusion of the ‘0’ at the end, a typo error dramatically changes the picture.

`Incorrect – Typo error without the 0 at the end IP Range`  
`142.0.176.0/2 1,073,741,824`

Missing one ‘0’ at the end allows nearly 25% of the internet traffic to use your email network. It gives a long rope to scammers to send spam messages using your email network.  
An SPF record can be overly permissive if you end your SPF record with “+all.” _It is a more dangerous situation as you permit the entire internet to send emails on your behalf_.

#### Duplicate SPF TXT records – Be careful when creating SPF records

A domain may have only a single SPF record. Thus, you can have only one DNS TXT beginning with “v=spf1”. Having multiple records results in a permanent error.  
The question arises as to how are **multiple SPF records** common. Organizations can deploy various services, whereby each provider could instruct them to create an SPF record. Organizations having numerous SPF records can merge them into a single statement. This example would be able to clarify it better:

`“v=spf1 include:email-office365.com ~ all”`  
`“v=spf1 include:_spf.google.com ~ all”`

Here is [how to create an SPF record](/content/sender-policy-framework/how-to-create-spf-record) single statement.

`“v=spf1 include:email-office365.com include:_spf.google.com ~ all”`

#### SPF Character Limits – Better to know your limits

_RFC stipulates that SPF records have a 255-character limit for a single string_. Records not complying with this stipulation can cause temporary or permanent errors.

Though you can have a maximum of 255 characters in a string, you can have more than one string in a DNS record. When a receiving email server analyzes such an SPF record with multiple strings, it concatenates them together without adding spaces.

While multiple strings are allowed, there is still a limit to the number of characters in your record. It is to ensure that you do not cause DNS packets to exceed 512 bytes. An ideal limiting figure should be around 460\. _You can create sub-records to split your single record across multiple records_.

#### The number of DNS lookups allowed in SPF – Know what is allowed and what is not.

_RFC specifications do not allow you to cause more than ten DNS lookups in your record_. It is to [prevent DoS attacks](https://blog.cloudflare.com/ddos-prevention-protecting-the-origin/). Having more than ten lookups could return a permanent error. Here are some examples that can cause a DNS query.

1. Include
2. A
3. MX
4. PTR
5. Exists
6. Redirect

The following mechanisms do not count against the DNS query.

1. All
2. ip4
3. ip6

#### Duplicate IP Addresses and Subnets

As _all SPF entries resolve to an IP address or a subnet_, it could be easy to generate a duplicate entry when building up an exhaustive list of all systems that send emails. It can happen when your SPF record has an include statement. It could be the same IP or IPs within subsets you already have.

If your IP address remains the same throughout, you can use the ip4 or ip6 notations to avoid DNS lookups.

#### Other points to note

Here are some don’ts. It can result in rejection for the sender policy framework.

1. One should never use the “exists” mechanism to cause a significant **security risk** if misused.
2. Similarly, one should ensure that all mechanisms that use a domain-based implementation resolve correctly. Generally, system administrators do not remove legacy systems, like an on-premise exchange server replaced by **Office365 cloud services**. So, when the [Sender Policy Framework Office 365](/content/sender-policy-framework/sender-policy-framework-office-365) was updated to add Office365, you might not have edited to remove the on-premise system.
3. One should not use the SPF DNS record type as it has been deprecated in favor of TXT records.
4. Similarly, one should also not use the “ptr” mechanism because RFC has deprecated it in the recent draft of SPF.

We have seen that the Sender Policy Framework is essential for an organization because it protects their customers, brand, and network from spoofing and phishing attacks. Malicious actors can take advantage of your mistakes to send **phishing emails**, thereby denting your brand reputation. Therefore, knowing the DOs and DON’Ts of SPF records is critical, as an incorrect record does not serve its purpose.

MORE – [Rejecting for sender policy framework](/content/sender-policy-framework/rejecting-for-sender-policy-framework)

##### Join the thousands of organizations that use DuoCircle

---

Find out how affordable it is for your organization today and be pleasantly surprised.

[Auto SPF - Sign Up FREE](/email/spf-record-check)Interested in our Partner Program for MSPs and VARs? Visit Our [MSP Partner Program](/msp-partner-program).

## Ready to talk?

Same-day response from someone technical. We tell you yes or no quickly. If yes, we get to work.

[Talk to an Expert→](/contact/)[See what we make](/products/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"WebPage","name":"The DOs And DON’Ts Of Using SPF Records","description":"Join the thousands of organizations that use DuoCircle Find out how affordable it is for your organization today and be pleasantly surprised.Interested in ","url":"https://www.duocircle.com/content/sender-policy-framework/spf-record/","speakable":{"@type":"SpeakableSpecification","cssSelector":[".page-answer",".duo-rich-text p:first-of-type"]},"dateModified":"2023-08-08T11:12:50.000Z","datePublished":"2020-11-20T02:45:20.000Z"},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"DuoCircle","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"The DOs And DON’Ts Of Using SPF Records","item":"https://www.duocircle.com/content/sender-policy-framework/spf-record/"}]}]
```