Have you ever had an email message bounce back with a cryptic response like “5.7.1 Command Rejected”, or had someone email you only to get a similar message? What’s causing that? Why is it rejected? The answer, more often than not, is that there’s an issue with the sending domain’s SPF Record.
So, what is an SPF record, why do I need it, and what does it do for you?
SPF records are a way for a domain owner/manager to indicate what servers are allowed to send mail on that domain’s behalf. This helps to prevent spammers or other malicious actors from sending mail that appears to be from your domain.
While SPF records don’t guarantee prevention of forged addresses, they do a lot to help prevent it. Spammers commonly use sender forgery to try and trick their recipients into reading their SPAM emails.
Need help getting your SPF record right? Either scroll down to our SPF Record Generator below, or contact us. With just a bit of information we can help you determine the right SPF record for your domain.
So how does this work? An SPF Record is a DNS record for your domain (a TXT type record) that looks like this:
v=spf1 include:_spf.websavers.ca +a +mx +ip4:188.8.131.52 -all
Let’s break this down. Each part of the record means something different and is separated by white spaces:
- v=spf1 –> This indicates that it’s an SPF record, version 1 (default/standard)
- include:_spf.websavers.ca –> Include statements mean to include SPF records available at the provided address. This particular one means to include all outgoing mail servers that Websavers has deemed acceptable. They’re published at _spf.websavers.ca (you can’t go there in a web browser to see them though, they’re only visible to DNS requests)
- +a +mx –> Allow servers residing at both the A and MX record addresses to send emails. You can do a lookup of your domain to learn what the A and MX records are set to, or simply look in Plesk or at your DNS host if the DNS is not hosted with us.
- +ip4:184.108.40.206 –> The server with IP address 220.127.116.11 is allowed to send emails from your domain
- -all –> Do not allow any other servers to send messages.
You might see others using ~all (with a tilde rather than dash), which is a weak equivalent of our default “-all”. Using a ~ is kind of like saying “if it doesn’t match these, its up to you whether or not it’s legitimate”. We strongly recommend using “-all” as shown above. This indicates a much firmer statement of “only these servers are valid”.
If you’d like to learn more about SPF, like additional options for what you can include, check out the OpenSPF website.
Any servers that do not appear in your SPF record using one of the methods described above are not allowed to send email using any of that domain’s email addresses, and any messages sent through those servers are likely to be flagged as spam or blocked entirely at the destination.
Using external mail? Even if you switch to using an external email provider, but keep your website hosted with us, it’s still important to keep both +a and include:_spf.websavers.ca in your SPF record. This is because your website often sends out email directly from the server its hosted on (ex: registration or order notification emails) rather than sending it through your email provider, and you want to still allow those emails to be sent successfully.
Where to change your SPF record
If your DNS is hosted with us, here’s how to edit your DNS records. In that guide, you’ll be looking to edit an existing record of type TXT — look for one that starts with v=spf1, if you find it, then edit it, if you don’t, then add a new one!
If your DNS is hosted elsewhere, you will need to login to their panel to edit or add your SPF record.
Please do not create multiple SPF records. If you see an existing one in your DNS settings, be sure to edit that one rather than add a second one.
SPF Record Generator
We’ve created a tool to help you generate the proper SPF record for your domain. Please fill out the form below and it will generate an SPF record for you to use.
Common SPF Config Reference
The following values are not the entire SPF record, just the portion you’ll want to add to your SPF record to allow the matching company’s SMTP servers to send email on behalf of your domain.
When adding, make sure there are spaces between these additions and the other parts of the SPF record. Also make sure your record begins with v=spf1 and ends with either ~all (loose) or -all (more strict). See the example record near the top of this page for a visual representation of where to insert these records.
- Websavers: include:_spf.websavers.ca
- Google: include:_spf.google.com (details)
- Bellnexxia: +ptr:bellnexxia.net
- Eastlink: include:_spf.eastlink.ca
- Microsoft Office 365: include:spf.protection.outlook.com (details)
- GoDaddy: include:spf.secureserver.net
- Yahoo: Not possible. Uses DMARC instead and forces their SMTP to be used only by Yahoo accounts.
- Shopify: include:shops.shopify.com (details)
Because SPF records are DNS records, the changes you make to your DNS settings will take a few hours (up to 48 hours) to apply worldwide. Please be patient.