<spf> declare your smtp servers

spf logo

spf explained

SPF is the abbreviation of Sender Policy Framework, an email authentication standard,
that lets you declare which are the smtp servers authorized to send emails for your domain.

It allows you to confirm the sender’s address and its relationship with the server that sent out the message.
If emails are sent with your sender domain, the recipient can identify if it has been sent from one smtp server that you recognize.

It’s recommended to configure it, because some recipients may reject your messages if spf is not set at all.

how to make spf work

There are two different approaches:

  • a “soft” one (~all tag), that generates a “softfail” error if the message has been sent by a non declared server
  • a “hard” one (-all tag), that generates a “fail” error if the message has been sent by a non declared server

The “soft” setup will produce less/no rejection by the recipients.
The “hard” one will cause some messages to be rejected if the server has not been declared or in some cases when the email has been redirected or sent through a mailing list.

The “hard” setup provides the destination mail server with more faculty to decide whether to accept the message or not, this is the approach that we suggest.

how to configure spf

SPF setup requires to know exactly which servers you use to send out email messages.

With RealSender, the TXT record of your domain (example.com) should contain the string
a:example.realsender.com        and look like this:

example.com   TXT   "v=spf1 a:example.realsender.com ~all"

With HighSender, the TXT record of your domain (example.com) should contain the string
include:spf.realsender.com        and look like this:

example.com   TXT   "v=spf1 include:spf.realsender.com ~all"

These tools will help you validate the configuration:
www.kitterman.com/spf/validate.html *
   retrieves SPF records for the specified domain name and determines if the record is valid
spf check online
   validates your email SPF settings sending an email message

* = external website link, will open in a new page

spf downsides

Even if everything is set correctly, the message verification may fail
if the email has been redirected (forwarded) or sent through a mailing list.

In these cases, to keep the email authentication consistent,
configure the dkim signature domain to be aligned with the sender’s From address.
See: email authentication advanced » <dkim> alignment for dmarc.

last updated on September 3, 2020


<spf> check online