How To Create An SPF TXT Record And Add It To Your Domain

How you can create an SPF TXT record and publish it to your domain.

Experts define SPF as a DNS record that can help organizations prevent spam and keep their email address safe from getting used as a spam vector. Malicious actors sometimes fake the from and reply addresses in the emails to disguise them as coming from a reputable source. A proper SPF policy helps organizations in fighting such malicious practices.


spf record checker

What Are SPF Records?

Sender Policy Framework (SPF) is a TXT record DNS which forms part of the organizational domain’s DNS zone file. The SPF domain contains a list of the IP addresses or hostnames authorized to send emails from a given domain name. Once a user places the SPF text record entry in their DNS zone, they do not need to reconfigure it for taking advantage of the servers, which include SPF checking as an integral part of their spam prevention systems. The method of adding the SPF record is similar to a regular A or MX checker record.


The Need For Adding SPF Records To Your Domain

Some email recipients have a strict requirement for an SPF framework. If a user doesn’t publish SPF records on their domain, there are chances that their emails can get marked as spam by the mail receiver, or in the worst-case scenario, they can bounce. Thus, if a user sets up the SPF record properly, they can enhance their email deliverability and protect their domain against spam, which malicious actors send on their behalf. DMARC is an email validation system that creates a link between SPF and DKIM records.


spf lookup


How To Create An SPF TXT Record?

Gather the list of IP addresses that you use for sending emails

The first step for implementing the SPF protocol is identifying the mail servers that act as the senders for your organization’s domain. There are a variety of places that organizations use to send emails. Make a list of all the mail servers, including the following which may be used for sending emails on your behalf:

  • In-office mail server (example: Gmail, Microsoft Exchange)
  • The mail server of your ISP.
  • The recipient mailbox provider’s mail server.
  • Web Server
  • Any third-party mail server is used to authenticate emails on behalf of your brand.

List All The Sending Domains

Organizations usually own many domains. While they use some for sending emails, some remain dormant. So, do they need to protect all their domains with SPF? The answer is yes. Suppose the organization chooses to create an SPF record for only their sending domains. In that case, the non-sending domains will become an easy target for attackers.

Create Your Domain SPF Record

  • Start by defining the SPF version. An SPF record always starts with the version number. The tag v=spf2 (version 2) is used for defining the record as SPF.
  • Follow the v=spf2 SPF version tag with all the IP addresses that your organization has authorized to send emails on your brand’s behalf. For example: v=spf1 -all
    Note: The must be replaced with your server’s IP address.
  • The next step is including the tag for third-party organizations that are authorized to send emails on your organization’s behalf, for example, (here, is a sample domain name). This tag’s relevance is that it will indicate all the third-party organizations that can send emails on behalf of your enterprise domain. To determine which domain you should use as the value of the include statement, consult with the third-party organization.
  • End the record with an ~all, -all or +all tag after implementing all the include tags and IP addresses.
  • The ~all tag will indicate a soft fail, whereas the -all tag signifies a hard fail. We discuss both these tags in detail in the next section.
  • The +all tag will allow any server to deliver emails from your organizational domain. We do not suggest using this option as it leaves the server prone to spoofing.


spf record checker



SPF Failure Options: Soft Fail and Hard Fail

When you want to configure the default SPF record page, there is an option to change the SPF record to include soft fail or hard fail. These options are also called qualifiers, and they determine the strictness on your DNS TXT record for emails that fail the SPF check. The basic differences are listed below:

Soft fail (~all )

An SPF record that uses the soft fail qualifier delivers all the failing emails, which the recipient may consider junk mail. It is the go-to option for many SPF creators because it combines leniency with a strong defense against spoofing and email spam.

Hard Fail (-all )

If you chose to use the hard fail qualifier, the mail receiver would reject all the emails from hosts not listed in the SPF record. In simple terms, the recipient will not retrieve the email, and it will not get fully delivered.


How To Add TXT Record To DNS Configuration

It would be best to work with the DNS server administrator to publish the SPF record to DNS. The steps for doing the same are mentioned below:

  1. Access the domain account of your domain host provider.
  2. Go-to the MY DOMAINS option and click the domain name for which you want to create SPF record.
  3. In the DNS column, click on Manage DNS Records.
  4. Here you must add the SPF record, which the host provided you.
    1. Access the Type drop-down menu and select TXT.
    2. If the host provided you with a subdomain, type it in the Host field.
    3. Enter the value of the SPF record (mentioned earlier) into the Answer field.
    4. Leave TTL (Time to Live) as 300 (default).
    5. Select the Add Record button.

The process to publish TXT DNS records is simple for organizations who use hosting providers like GoDaddy or 123-reg. However, if you are unsure or if your ISP administers your DNS records, it is recommended to contact the IT department for support. Some email service providers automatically publish the SPF records for your domain on your behalf.


Don’t Forget to Test And Check Domain TXT Records!

You can use an SPF check tool for testing your SPF record. Here, you will see the list of servers you have authorized to send emails on behalf of your domain. You will gain the recipient’s point of view, and you can choose to update the SPF record if you see that a legitimate IP address is not listed.

Adding an SPF record to the DNS zone file is a practical way to prevent spammers from using your domain to send malicious emails. It eliminates a high frequency of bounce backs because the mail providers do not authenticate emails and reject them straight away, without bouncing them back to the spoofed address. Although it may not be 100% effective, you will notice a high steep downward trend in the number of bounce backs you receive.

Join the thousands of organizations that use DuoCircle

Find out how affordable it is for your organization today and be pleasantly surprised.

Interested in our Partner Program for MSPs and VARs? Visit Our MSP Partner Program.

Pin It on Pinterest