Understanding SPF Record Breakdown And How SPF Differs From Other Email Authentication Protocols

The need to protect an organization’s reputation from harm caused due to spoofing is pressing. SPF, along with DMARC and DKIM, are tools that can prevent spammers from misusing an enterprise’s domains in email spoofing attacks. However, people tend to use these tools without understanding how they work. This post will enable users to become familiar with this technology by studying an SPF record breakdown.

spf record generator

Understanding The SPF Record

Sender Policy Framework or SPF works as a DNS text entry. When an email is sent, the server receiving the email verifies the sender’s IP against the domain’s recorded owner in this SPF records. If the IP matches, the email is delivered. If not, then specified action is taken against the sent email according to the configured rules.

3 Crucial Points To Remember While Setting SPF Record Format

These are the points while setting SPF record format

  • While creating a subdomain, SPF publishers must add a record to each hostname or subdomain containing an A or MX record.
  • Websites with MX records or wildcard A also need to contain a wildcard SPF record.
  • An SPF record cannot have more than 255 characters.
spf record example
spf records check

Breaking Down an SPF Record Syntax For Better Understanding

Below is an SPF record example for a better understanding of how the system works:

“v=spf1 ip4: include:example.com -all”

  1. v=spf1: This section states that the first version of the Sender Policy Framework is being implemented. No other version is currently in use.
  2. ip4: This is the IP address of the domain or server authorized to send emails from the respective domain. Multiple IPs can be used.
  3. include:example.com: This is the secondary domain that has been accredited with the right to dispatch emails on the primary email domain’s behalf. In case multiple domains are to be authorized, they must be listed as separate ‘includes’. However, there is a cap on the number of domains that can be included, fixed at 10.
  4. all: The three variants of the ‘all’ tag are:
    1. -all: Indicates a hard fail, and the receiving server must reject the email according to its configured spam policy.
    2. ~all: Indicating a soft fail, but the receiving server does not reject the email instantly.
    3. ?all: It is neutral and not recommended, and is used for testing purposes only.

While forming the records, users can use an SPF record generator to create records with proper SPF record syntax.

How Does SPF Differ From DMARC And DKIM?


This email authentication protocol strengthens DKIM and SPF. It enables them to set an address for dispatching reports regarding the statistics of mail messages collected against the concerned domain.


DKIM authenticates an email’s content as genuine. It attaches digital signatures to a message’s headers that are validated against public cryptographic keys in the organization’s DNS.

Email authentication protocols are a simple yet effective way to prevent phishing and spoofing. They can be used with a wide range of services. For example, SPF record Office 365 can be set up to authenticate an organization’s emails sent using Outlook. In GoDaddy SPF Records can be easily linked up with Office 365, making the entire process simpler. Finally, an online SPF records check is recommended, along with the knowledge of SPF record breakdown for implementing the right changes to the record for preventing email authentication errors.

spf record office 365

Join the thousands of organizations that use DuoCircle

Find out how affordable it is for your organization today and be pleasantly surprised.

Interested in our Partner Program for MSPs and VARs? Visit Our MSP Partner Program.

Pin It on Pinterest