How to set up SPF
To implement SPF you need to add a new TXT entry in your domain’s DNS which lists the sources you send emails from. Let’s start by breaking down an example SPF record:
v=spf1 a mx include:spf.mtasv.net include:_spf.createsend.com ip4:192.168.0.1/16 ~all
v=spf1 |
This states which version of SPF is being used. |
a |
This states that if the domain includes an address record (A or AAAA) for the sender’s address, it will match. So, if the IP address of your A record is used to send email, it will pass. |
mx |
The short version is that as long as the email originates from an IP address of the domain’s incoming mail servers, then it’s a match. The recipient server will check the MX record with the highest priority first. |
include: |
The include statements essentially say to include the values for the SPF records at the specified domain. These records generally specify a set of IP addresses for the service. In this case spf.mtasv.net contains the SPF entry for Postmark and _spf.creatsend.com represents Campaign Monitor’s SPF entry. |
ip4 / ip6 |
This allows you to specify an IP range that is authorized to send emails from your domain. |
~all |
This specifies that everything else should be a “Soft” fail. That means that the message should be accepted but tagged as a soft fail, and the receiving ISP can use that as an additional factor in scoring the message’s likeliness of being spam. You could replace the ~ with a - and that would indicate that the message should be rejected. However, this is more aggressive and is known to create more issues than it solves (we don’t recommend it). |
For a full explanation of how SPF works, check out Postmark’s SPF guide.
To set up SPF for your domain you first need to make a list of the services that are authorized to send emails from your domain. Check with those services to get their SPF records (e.g. spf.matsv.net
for Postmark) and include the IPs of any outbound mail servers you manage yourself.
Once you’ve put that list together, add a new TXT record to your domain’s DNS using the include
and ip4
/ ip6
mechanisms to include the SPF records and IPs from your list. For example, for a domain that sends emails from Postmark and Google, the SPF record would be:
v=spf1 a mx include:spf.mtasv.net include:_spf.google.com ~all
Once your SPF record is live in your DNS, incoming mail servers can use it to check that emails they receive from your domain originated from legitimate sources.
For your emails to be SPF aligned for DMARC, you’ll need to make sure that the domain in the Return-Path
header matches the domain in the From
address. Learn more about Return-Path