What is SPF / Sender Policy Framework?

SPF records are used to prevent spammers from trying to make it look like their spam comes from your email address. While SPF records don’t guarantee prevention of forged addresses, they do a lot to help prevent it. Spammers commonly use sender forgery to try and trick their recipients into reading their SPAM emails.

SPF works by publishing a list of server addresses that you permit to send email on behalf of your domain. Here’s an example of one:

v=spf1 include:_spf.websavers.ca +a +mx +ip4:2.2.2.2 -all

This record of type text (TXT) indicates the following:

  1. v=spf1 — That it’s an SPF record, version 1
  2. include:_spf.websavers.ca — Include statements mean to include SPF records available at the provided address. This particular one means to include all outgoing mail servers that Websavers has deemed acceptable. They’re published at _spf.websavers.ca (you can’t go there in a web browser to see them though, they’re only visible to DNS requests).
  3. +a +mx — Allow servers residing at both the A and MX record addresses to send emails. You can do a lookup of your domain to learn what the A and MX records are set to, or simply look in Plesk or at your DNS host if the DNS is not hosted with us.
  4. +ip4:2.2.2.2 — The server at this address can send emails from your domain as well
  5. -all — means do not allow any other servers other than those previously listed to send messages

More details about how SPF records are to be formatted (the syntax) can be found on the OpenSPF website.

Any servers you do not publish in your SPF record using one of the methods described above are not allowed to send email using any of your email addresses on that domain.

Note that even if you switch to using an external email provider, but keep your website hosted with us, it’s still important to keep both +a and include:_spf.websavers.ca in your SPF record. This is because your website often sends out email directly from the server its hosted on (ex: registration or order notification emails) rather than sending it through your email provider, and you want to still allow those emails to be sent successfully.

Common SPF Config Reference

Note that these aren’t the entire record, just the portion you’ll want to add to your SPF record to allow the matching company’s SMTP servers to send email on behalf of your domain. When adding, make sure there are spaces between these additions and the other parts of the SPF record. Also make sure your record begins with v=spf1 and ends with either ~all (loose) or -all (more strict).

  • Websavers: include:_spf.websavers.ca
  • Google: include:_spf.google.com (details)
  • Bellnexxia: +ptr:bellnexxia.net
  • Eastlink: include:_spf.eastlink.ca
  • Microsoft Office 365: include:spf.protection.outlook.com (details)
  • GoDaddy: include:spf.secureserver.net
  • Yahoo: Not possible. Uses DMARC instead and forces their SMTP to be used only by Yahoo accounts.

Jordan is a computer, security, and network systems expert and a lover of all things web and tech. Jordan consults with project management for software companies. Jordan is a founder and managing partner at Websavers Inc.

Leave a Comment