What Is SPF for Email? Your Sender Reputation Might Depend on It

If you’re sending emails without SPF today, prepare to land in the spam folder.

Not setting up SPF is like handing over the keys to your domain.

Cybercriminals can easily forge the sender address to make it appear as if it came from your domain.

Email providers are all too aware of this security breach and castigate you with a trip to spam if you haven't set up SPF.

But what exactly is SPF, and how does it help keep email secure? We’ll explain all below.

What is SPF?

SPF means Sender Policy Framework.

Through an SPF record, you decide what email servers can send from your domain.

That way, receiving servers can check this SPF record to see if the sending servers of incoming emails match the authorized servers in your SPF record. If the email comes from an unauthorized sending server, the email will fail SPF authentication.

When that happens, the email may get sent to the spam folder or rejected outright.

What’s an SPF Record?

An SPF record is a DNS TXT record you should add to your domain’s DNS records.

Configuring it properly makes your emails more secure and more likely to be seen by your audience.

What does an SPF record look like? Here’s a basic one:

v=spf1 include:_spf.google.com ~all

Confused by this line of code? Don’t be.

An SPF record is simple to understand once you know how it works.

Each component of an SPF record is called a mechanism. Let’s explain the most important mechanisms in an SPF record:

• 💡 The v tag defines the SPF version. Since there’s only one version in use currently, this is always: v=spf1.

• 💡 The include tag is where you can find the authorized server. If you need to authorize multiple sending servers, simply add multiple include tags to the same record. If the sending server is an IP number instead of a domain, you use the ip4 or ip6 tag. SPF has a DNS lookup limit of ten, so you can’t add too many servers.

• 💡 Finally, the all tag determines the policy for emails that fail authentication. The most used policy settings are -all and ~all. The -all is the strictest setting. It means “hard fail” and tells email servers to reject any emails that fail SPF authentication. ~all takes a softer approach (soft fail) and suggests that email servers accept the email but mark it as suspicious.

• 💡 Your SPF record's all tag isn't the only factor determining what happens with unauthorized emails. Server configuration and your domain's DMARC record also have a decisive say in it. (DMARC is another email authentication protocol that lets you decide what to do with emails that fail SPF and DKIM authentication.)

What Email Servers Should I Authorize in My SPF Record?

To be clear, the sending server you should authorize in your SPF record should be coming from your email provider.

For example, if you use Google Workspace to send emails, you must authorize their servers. In other cases, you need to authorize the sending servers of your email-sending tool.

If you use your hosting company’s email servers, you must allow their servers to send email from your domain.

How Does SPF Work?

SPF works by verifying that an email claiming to come from a specific domain is legitimate. It checks whether the email was sent from a sending server authorized by that domain’s owner.

Here’s a step-by-step overview of the process:

1. Someone sends an email that ostensibly comes from somedomain.com

2. The receiving server checks if the sending server is authorized to send email from somedomain.com. It does so by checking somedomain.com’s SPF record.

3. If the email fails authentication, the receiving server applies the result based on the record’s all tag settings. Remember, what really happens to unauthorized emails also depends on server configuration and your DMARC record’s settings.

Why Do I Need SPF?

To land in your prospect’s inbox!

SPF makes your emails more secure, and ESPs reward you for that with superior inbox placement.

More prospects reading your emails = more conversions.

But that’s not all.

You also secure your domain and make it less likely that criminals will abuse it to launch phishing attacks and other forms of email fraud, which can damage your sender reputation beyond repair.

That said:

Only setting up SPF is not enough to reap all these wonderful benefits.

There are two other essential email authentication protocols that you must set up for your domain: the aforementioned DMARC, and DKIM. The latter makes it harder for criminals to tamper with your emails after they are sent.

A Brief History of SPF

The idea of verifying email senders first surfaced in 2000. No one paid much attention to it.

People forgot about the concept until 2002 when a developer named Dana Valerie Reese proposed a similar idea.

This is where discussion and subsequent development took off.

It took a while, but in 2014, amidst a sea of spam plaguing inboxes worldwide, SPF was finally published as an official proposed standard.

Take Action on SPF Now

Setting up an SPF record for your domain is essential if you want to have any chance of reaching the inbox.

And while SPF alone is not enough, you also need DKIM and DMARC; it’s a fine step toward better email deliverability and superior security.

So, let’s check your domain’s SPF record right away.

Go to MXToolBox’s SuperTool, select SPF Record Lookup, enter your domain, and click the orange button.

The results will tell you if you have an SPF record set up and if it’s configured correctly.

If you don’t have an SPF record set up, we invite you to read the following:

Setting Up an SPF Record - Step-by-Step Guide