How to properly set DNS SPF domain records so that emails don't fall into SPAM

This article briefly summarizes the importance and proper use of the SPF record in the DNS domain so that the application on the server can send emails that do not fall into SPAM.

The principle of SPF or Sender Policy Framework consists in verifying the IP address of the sender in order to prevent sending SPAM. It is DNS record of the TXT type, which is set at the domain mainly because in it we define the addresses of the servers, which can send emails on the domain's name. The server that receives the sent email is what we call which servers are authorized to send mail on the domain name.

Simple example of SPF record

v=spf1 a -all

This record says that the only server that can send mail is the one that has the IP address as listed in DNS A records. The -all directive makes anything not matching this rule unauthorized and should be automatically rejected.

SPF syntax in detail

Let's give another example:

v=spf1 a mx ip4: -all
  • v=spf1 specifies the spf version that is used
  • a mx ip4: defines one or servers that are authorized to broadcast SPF
  • -all defines the rule that has to state, if the rules are not followed

Authorized servers

The options of which servers are authorized to send emails are relatively enough.

  • and - all addresses contained in DNS A domain record and to IPv4 and in IPv6 
  • mx - all addresses contained in the DNS A domain record and that IPv4 and in IPv6 
  • ip4 - specific IPv4 definition addresses or range in the form
  • ip6 -definition of specific IPv6 addresses or scope in the form ip6:xxxx:xxxx:x:x::xxxx:x/y
  • include - definition specific domain addresses in the form include:thirdparty.server.tld
  • all - all (I do not recommend using - never !)

What happens when the rules are not met

If the email doesn't comply with the list of authorized servers, we can define in SPF what has to be email state.

  • -all - reject / discard
  • ~all - partially reject (mark as suspicious), email can be delivered
  • ?all - neutral rating

Real world examples

v=spf1 a mx ip4: ip6:2a02:2b88:2:1::54c6:1 -all

In this case the IP address which is indicated in the DNS A and MX record of the domain and also defined IPv4 addresses can send emails and IPv6. Emails sent from other servers are rejected and marked as unauthorized.

v=spf1 a -all

Another example authorizes sending emails from the server on which the web presentation is (for example through a PHP script) and at the same time authorizes Gmail, which is the client used for primary mail.

Best practice

It is suitable to centralize mail in one place - on one server. At the same time mostly you need so that the web presentation can send notifications from filled forms or for example orders from the eshop. That's why I recommend propose SPF in the shortest form possible where you only specify the server on which hosts the web and at the same time the server which hosts the primary mail. Everything is thanks to it clear and clear at the first glance.