SPF
Sender Policy Framework
/ess-pee-eff/
SPF (Sender Policy Framework) is an email authentication method that specifies which mail servers are authorized to send email on behalf of your domain.
How SPF Works
SPF is published as a DNS TXT record that lists the IP addresses and domains authorized to send email for your domain:
- DNS Publish: You add an SPF record to your domain's DNS
- Email Sent: An email is sent claiming to be from your domain
- Server Check: The receiving server looks up your SPF record
- IP Validation: It checks if the sending server's IP is authorized
- Result: Pass, fail, or soft fail based on the policy
SPF Syntax
v=spf1 include:_spf.transactional.dev include:_spf.google.com -all
v=spf1- SPF version (always spf1)include:- Include another domain's SPF record-all- Fail emails from unauthorized servers~all- Soft fail (mark as suspicious but don't reject)?all- Neutral (no policy)
Setting Up SPF with Transactional
Add our SPF include to your existing SPF record:
v=spf1 include:_spf.transactional.dev [your other includes] -all
If you don't have an SPF record yet:
v=spf1 include:_spf.transactional.dev -all
Common Mistakes
Too Many DNS Lookups
SPF has a limit of 10 DNS lookups. Each include: counts as one lookup. If you exceed this, SPF will fail.
Multiple SPF Records
You can only have ONE SPF record per domain. Combine all includes into a single record.
Forgetting to Update
When you add new email services, remember to update your SPF record to include them.
See It in Action
SPF DNS Record Example
A typical SPF TXT record including Transactional's mail servers
example.com. IN TXT "v=spf1 include:_spf.transactional.dev ~all"
Related Terms
DKIM
DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify that an email was sent by the domain it claims to be from.
DMARC
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that builds on SPF and DKIM to protect domains from email spoofing.