The 20 Minute E-mail Solution!

Setting Up an SPF Record

Although you do not need an SPF record on your DNS server to evaluate incoming email against SPF policies published on other DNS servers, the best practice is to set up an SPF record on your DNS server. Setting up an SPF record lets other email servers use SPF filtering (if the feature is available on the mail server) to protect against incoming email from forged (spoofed) email addresses that may be associated with your mail server. As SPF records are implemented more widely, SPF filtering will become more effective at identifying spoofed email messages.

About SPF records

SPF records, like MX, A, and PTR records, are included at the DNS domain tree level. These records identify authorized SMTP servers for each domain.

An SPF record consists of the SPF version number followed by strings comprised of mechanisms, prefixes, and modifiers. SPF clients ignore TXT records that do not start with the version string v=spf1.

SPF records are evaluated in a two pass process. First, all mechanisms and prefixes are evaluated, then all modifiers are evaluated. Mechanisms are evaluated from left to right. Modifiers are evaluated on the second pass and can occur anywhere in the record. A generic SPF record takes the format of:

version ([prefix] mechanisms) (modifiers)
SPF Parameters Description
v=spf1 SPF version number
all, include, a, mx, ptr, ip4, and exists Mechanisms. Use one or more in a record string.
"+", "-", "~", and "?" Prefixes. Precede mechanisms. If a prefix is not included, "+" is implied.
exp Modifiers. Use 0 - 2 in a record string.

An example SPF record is:

v=spf1 +mx +ptr exp=spf-error -all

This SPF record includes three directives made up of prefixes and mechanisms:

and two modifiers:

Mechanisms identify IP addresses that are authorized to send email from a specified domain. You can use zero or more mechanisms in an SPF record string. Mechanisms usually contain ":" or "/" characters and are case-sensitive. Directives that do not contain "=", ":", or "/" are also mechanisms. Following are mechanism descriptions:
SPF Mechanisms Description
all Matches all local and remote IPs and goes to the end of the SPF record. Example:v=spf1 +all
include Specifies other domains that are authorized domains. Example:v=spf1 -all
a Specifies all IPs in the DNS A record. Example: v=spf1 -all
mx Specifies all A records for each host's MX record. Example: v=spf1 mx -all
ptr Specifies all A records for each host's PTR record. Example: v=spf1 -all
ip4 Specifies a single IP or an acceptable IP address range. /32 is assumed if no prefix-length is included. Example:v=spf1 ip4: -all
exists Specifies one or more domains normally singled out as exceptions to the SPF definitions. An A query is performed on the provided domain, if a result is found a match occurs. Example:v=spf1 -all

Prefixes designate whether IP addresses pass or fail the SPF lookup test:
SPF Prefixes Description
+ Pass. The address passed the test. Example:v=spf1 +all
- Fail. The address failed the test. Example:v=spf1 -all
~ Softfail. The address failed the test, but the result is not definitive. Example:v=spf1 ~all
? Neutral. The address did not pass or fail the test. Example:v=spf1 ?all

Modifiers provide additional SPF query information and can branch SPF processing. They always contain an "=" character and are case-sensitive. SPF includes two possible modifiers, each can be used once:
SPF Modifiers Description
redirect Sends inquiry to another domain. Example:
exp Sets up an explanation in the SPF record. If an SPF query produces a FAIL result, the explanation is queried and the explanation string provides more information to the nonconforming user. The explanation is typically placed in an SPF log. Example: exp=spf-error

For more information about SPF, see "Sender Policy Framework (SPF) Filtering". Also, more SPF resources, including an online wizard to help with DNS record setup, are available on the SPF community Web site at

Ipswitch, Inc.
©Ipswitch 2005