What is SPF / Sender Policy Framework?

SPF records are used to prevent spammers from trying to make it look like their spam comes from your email address. While SPF records don’t guarantee prevention of forged addresses, they do a lot to help prevent it. Spammers commonly use sender forgery to try and trick their recipients into reading their SPAM emails.

SPF works by publishing a list of addresses/names of servers that you permit to send email on behalf of your domain. This is published in your domain’s DNS as a record of type TXT. Here’s an example:

v=spf1 include:_spf.websavers.ca +a +mx +ip4: -all

Let’s break this down. Each part of the record means something different and is separated by white spaces:

  1. v=spf1 –> This indicates that it’s an SPF record, version 1 (default/standard)
  2. include:_spf.websavers.ca –> Include statements mean to include SPF records available at the provided address. This particular one means to include all outgoing mail servers that Websavers has deemed acceptable. They’re published at _spf.websavers.ca (you can’t go there in a web browser to see them though, they’re only visible to DNS requests)
  3. +a +mx –> Allow servers residing at both the A and MX record addresses to send emails. You can do a lookup of your domain to learn what the A and MX records are set to, or simply look in Plesk or at your DNS host if the DNS is not hosted with us.
  4. +ip4: –> The server with IP address is allowed to send emails from your domain
  5. -all –> Do not allow any other servers to send messages.

You might see others using ~all (with a tilde rather than dash), which is a weak equivalent of our default “-all”. Using a ~ is kind of like saying “It’s nice to have strong passwords, but who really cares?” which is obviously terrible policy. We strongly recommend using “-all” as shown above.

If you’d like to learn more about SPF, like additional options for what you can include, check out the OpenSPF website.

Any servers you do not publish in your SPF record using one of the methods described above are not allowed to send email using any of that domain’s email addresses.

Note that even if you switch to using an external email provider, but keep your website hosted with us, it’s still important to keep both +a and include:_spf.websavers.ca in your SPF record. This is because your website often sends out email directly from the server its hosted on (ex: registration or order notification emails) rather than sending it through your email provider, and you want to still allow those emails to be sent successfully.

Where to change your SPF record

If your DNS is hosted with us, here’s how to edit your DNS records. In that guide, you’ll be looking to edit an existing record of type TXT — look for one that starts with v=spf1, if you find it, then edit it, if you don’t, then add a new one!

If your DNS is hosted elsewhere, you will need to login to their panel to edit or add your SPF record.

Please do not create multiple SPF records. If you see an existing one in your DNS settings, be sure to edit that one rather than add a second one.

Common SPF Config Reference

The following values are not the entire SPF record, just the portion you’ll want to add to your SPF record to allow the matching company’s SMTP servers to send email on behalf of your domain.

When adding, make sure there are spaces between these additions and the other parts of the SPF record. Also make sure your record begins with v=spf1 and ends with either ~all (loose) or -all (more strict). See the example record near the top of this page for a visual representation of where to insert these records.

  • Websavers: include:_spf.websavers.ca
  • Google: include:_spf.google.com (details)
  • Bellnexxia: +ptr:bellnexxia.net
  • Eastlink: include:_spf.eastlink.ca
  • Microsoft Office 365: include:spf.protection.outlook.com (details)
  • GoDaddy: include:spf.secureserver.net
  • Yahoo: Not possible. Uses DMARC instead and forces their SMTP to be used only by Yahoo accounts.
  • Shopify: include:shops.shopify.com (details)
 Because SPF records are DNS records, the changes you make to your DNS settings will take a few hours (up to 48 hours) to apply worldwide. Please be patient.

Jordan is a computer, security, and network systems expert and a lover of all things web and tech. Jordan consults with project management for software companies. Jordan is a founder and managing partner at Websavers Inc.

Leave a Comment