Home | Email Deliverability | A Closer Look at SPF Records

A Closer Look at SPF Records

The best practices section of the ClickDimensions help site includes an overview article on SPF records. This article covers the general what and why of SPF records, but if you have ever wanted to know more about this topic, read on.

What is SPF?

In a nutshell, Sender Policy Framework (RFC 7208, SPF) is an authenticating process that identifies which mail servers can send emails on behalf of your domain. This prevents email spoofing (spammers sending messages with forged sender addresses) by providing a way for receiving mail exchangers to check that incoming mail from one domain comes from a host authorized by another domain. As a ClickDimensions user, this means that when your SPF record includes an entry for ClickDimensions, we can send emails on your behalf.

For example, emails from our fictitious organization, Tomato Gardens (tomatogardens.org), would be addressed as coming from joe@tomatogardens.org. On the back end of the email sending process, mail servers see that ClickDimensions is authorized to send emails on Joe's behalf because of the SPF record. Without a properly configured SPF record, his emails may be flagged as spam to both internal and external recipients.

Breaking down an SPF record

An example of an SPF record might read like this:

v=spf1 include:spf.protection.outlook.com include:customers.clickdimensions.com ~all

How do I include ClickDimensions in my SPF record?

To include ClickDimensions mail servers in your SPF, you add the following statement to your SPF record at your domain's DNS host:

include:customers.clickdimensions.com

Determining if an SPF record has been set up

There are a number of online tools that allow you to check if your domain has an SPF record set up. These tools usually check if the SPF record is configured correctly as well. Some of our favorite tools to use when troubleshooting these types of issues include:

http://www.kitterman.com/spf/validate.html

http://mxtoolbox.com/spf.aspx

http://emailstuff.org/spf

My personal favorite is emailstuff.org, as its SPF checker goes into great detail to provide all the lookup entries in an SPF record. SPF records can only have up to 10 lookups – anything more will cause a permanent failure with an error message that might say "PermError SPF Permanent Error: Too many DNS lookups."

Below is an example of what an SPF record check might look like. In this example, I used emailstuff.org's SPF validation tool to check Google's SPF record.

Every line of red text in the SPF check is a separate DNS lookup.

1. Google's SPF record.

2. The entry has an include statement for _spf.google.com, which in turn has additional lookups (_netblocks.google.com, _netblocks2.google.com, and _netblocks3.google.com).

3, 4 and 5. Each "include:" record can be broken down into a separate lookup. In this case, each additional lookup is checking the IP address of the sending server.

6. Google's SPF record uses "~all" to validate; this means that mail will still be allowed to pass without an exact match.

The "include," "a," "mx," "ptr," and "exists" mechanisms, as well as the "redirect" modifier in an SPF record all constitute a lookup. Other mechanisms such as "all," "ip4," and "ip6" do not count as lookups.

In addition, some senders use "include:" records that in turn use additional "include:" records – all of these lookups compound and might eventually cause the permanent error of having too many DNS lookups. This is why ClickDimensions uses a specific SPF entry (include:customers.clickdimensions.com) instead of our domain (include:clickdimensions.com).

There are different types of authorization that you can publish for your SPF record, as outlined in the chart below. In addition to adding ClickDimensions to your SPF record, we also recommending authenticating with "~all".

Statement

Result

Meaning

?all

neutral

The address doesn't pass or fail. In many cases, mail servers will allow mail.

+all

pass

The address passed the test; allow all mail.

~all

soft fail

The address failed the test, but the result is not definitive; accept and tag any non-compliant mail.

-all

(hard) fail

The address failed the test; reject any email that doesn't comply.

Do I have to publish an SPF record?

No. We don't require you to publish an SPF record in order to send emails and there are no mechanisms in place that would prevent you from sending ClickDimensions emails without it. However, this is a best practice method that we highly recommend because it will help improve email deliveries both to internal contacts and to your audience.

Happy Marketing!

Written by Louella Lugo, Marketing Success Manager Team Lead

About the Author:

mm
Louella Lugo is a Lead Marketing Success Manager at ClickDimensions.

Leave A Comment