SPF Record Configuration
SPF records authorise specific mail servers to send emails from your domain. Configuring SPF records prevents email spoofing and improves deliverability, ensuring booking confirmations and guest communications reliably reach inboxes. For example, this ensures guests receive booking confirmations and important travel updates.
Accessing this feature
REQUIRES_DEVELOPER_INPUT
How to use it
Setting up or updating an SPF record requires careful attention to detail to avoid disrupting email deliverability. Follow these steps to ensure correct configuration:
Identify Your Current SPF Record (if any): Before making any changes, determine if an SPF record already exists for your domain. Use an online SPF lookup tool (e.g., MXToolbox, Kitterman) by entering your domain name. A domain should only have one SPF TXT record. If multiple SPF records are found, they must be merged into a single record, as multiple SPF records will invalidate your configuration.
Determine All Authorised Sending Sources: List every service that sends email on behalf of your domain. This typically includes:
Your primary mail server (e.g., Microsoft 365, Google Workspace, your web host's mail server).
Third-party email marketing platforms (e.g., Mailchimp, ActiveCampaign).
Transactional email services (e.g., SendGrid, Postmark).
Guest management systems or other business applications that send notifications.
Each service usually provides specific SPF include mechanisms or IP addresses to add to your record.
Construct Your SPF Record: An SPF record is a single string of text. All SPF records begin with `v=spf1`. The subsequent parts specify authorised senders:
`v=spf1`: Denotes the SPF version being used. This must always be the first mechanism.
`ip4:192.0.2.1`: Authorises a specific IPv4 address.
`ip6:2001:db8::1`: Authorises a specific IPv6 address.
`a`: Authorises the IP addresses found in your domain's A records.
`mx`: Authorises the IP addresses found in your domain's MX records.
`include:spf.example.com`: Authorises all servers listed in the SPF record of spf.example.com. This is commonly used for third-party email services.
`exists:example.com`: Authorises hosts that have an A record for example.com.
`-all` (Hardfail): Specifies that any server not explicitly listed in the SPF record is not authorised to send email from your domain. Receiving servers should reject these emails. This is the most stringent option.
`~all` (Softfail): Specifies that any server not explicitly listed is likely not authorised. Receiving servers may accept these emails but mark them as suspicious. This is often recommended for initial setup or domains with complex sending requirements.
`?all` (Neutral): Specifies no policy; receiving servers should treat unauthorised emails as neither allowed nor disallowed. This option offers minimal protection and is generally not recommended.
Example Construction: If you use Google Workspace for email and Mailchimp for marketing, your record might look like this: `v=spf1 include:_spf.google.com include:servers.mcsv.net ~all`
Always refer to the documentation provided by your specific email service providers for their exact SPF requirements.
Add or Update the SPF Record in Your DNS:
Log in to your domain registrar or hosting provider's control panel.
Go to the DNS management section (often labelled "DNS Zone Editor," "Manage DNS," or "Advanced DNS").
Locate the option to add a new record or edit an existing one.
Type: Select "TXT" (Text) record.
Host/Name: Enter `@` or your domain name (e.g., `yourdomain.com`). Some providers may require leaving this field blank or entering `_spf`. Check your provider's specific instructions.
Value/Text: Paste the complete SPF record string you constructed (e.g., `v=spf1 include:_spf.google.com ~all`).
TTL (Time To Live): This determines how long DNS resolvers cache the record. A common value is 3600 seconds (1 hour). For initial setup or changes, a lower TTL (e.g., 300 seconds) can speed up propagation, but remember to revert to a higher value later for optimal performance.
Save the changes.
Verify Your SPF Record: After saving, DNS changes can take some time to propagate across the internet (typically a few minutes to several hours, depending on the TTL and your DNS provider). Use an online SPF lookup tool again to verify that your new or updated SPF record is correctly published and visible. Send a test email from each authorised service and check the email headers for SPF pass/fail results.
Tips
Maintain Only One SPF Record Per Domain: Having multiple SPF TXT records for a single domain will invalidate your entire SPF configuration. All authorised sending sources must be combined into a single record.
Keep Your Record Concise and Relevant: Only include mechanisms for currently active and authorised sending services. Regularly review and update your SPF record when adding or removing email senders.
Start with `~all` (Softfail) and Progress to `-all` (Hardfail): If you are unsure about all your sending sources, begin with `~all` to allow for a grace period where emails from unauthorised sources are marked as suspicious rather than immediately rejected. Once you are confident that all legitimate senders are covered, update to `-all` for maximum protection.
Combine with DMARC and DKIM: For comprehensive email authentication and security, always implement SPF in conjunction with DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance). DMARC provides reporting on SPF and DKIM results, allowing you to monitor and refine your policies.
Avoid Exceeding 10 DNS Lookups: The SPF specification limits the number of DNS lookups an SPF record can trigger to 10. Exceeding this limit will cause your SPF record to fail authentication. Use tools to check your record's lookup count and consolidate include mechanisms where possible.
Test Thoroughly After Any Changes.
Need help?
For further assistance, contact us at [email protected]