An SPF record is your way of telling mailbox providers which IP addresses or domains are authorized to send mail on your behalf, so it is very important that it is accurate and up to date. Sending email from an IP or domain not included in your SPF record results in a failed authentication verification.
Including domains in your SPF record
A constraint when using domains in your SPF record is the limit of 10 DNS queries performed by a verifying server. Exceeding 10 DNS queries results in a failed SPF verification. All of the mechanisms and modifiers listed below result in a DNS query.
The a, mx, include, and exists mechanisms
Using the ptr mechanism is an option listed in various publications, but according to RFC 7208 you should not use it in your SPF record. It is slow, unreliable, and resource intensive on name servers.
- a: The verifying server checks the listed domain’s A (IPv4) or AAAA (IPv6) records.
- When no domain is listed, the verifying server checks the A or AAAA records for the Mfrom (Return-path) domain you are using for the SPF record.
v=spf1 a -all
- The verifying server checks yourdomain.com for A or AAAA records.
v=spf1 a:email.yourdomain.com -all
- The verifying server checks email.yourdomain.com for the A or AAAA record’s CIDR range of IPs.
v=spf1 a:email.yourdomain.com/24 -all
- mx: The verifying server checks the listed domain’s mx records for A or AAAA records in order of mx priority.
- When no domain is listed, the verifying server checks the Mfrom (Return-path) domain’s MX records for A or AAAA records.
v=spf1 mx -all
- The verifying server checks yourdomain.com’s MX record for an A record or AAAA record.
v=spf1 mx:yourdomain.com -all
- The verifying server checks yourdomain.com’s MX record for an A or AAAA record’s CIDR range of IPs.
v=spf1 mx:yourdomain.com/24 -all
- include: The verifying server checks the listed domain for an SPF record. That SPF record is checked for an IP match.
- The verifying server checks the SPF records for yourdomain.com and yourdomain.com.
v=spf1 include=yourdomain.com include=exampledomain2.com -all
- exists: The verifying server checks the A or AAAA record on the listed domain. Use this mechanism for more complex queries involving macros. Refer to RFC 7208 for details.
- The verifying server checks yourdomain.com for an A or AAAA record.
v=spf1 exists=yourdomain.com -all
The redirect modifier
- redirect: The listed domain replaces the current record. Use this modifier when you want to use one record for multiple domains.
- When using redirect, the SPF record should not use an “all” mechanism. If it does have the “all” mechanism (e.g. ~all or -all), the record is ignored and may result in a verification failure.
- The redirect modifier should only be used once. Using redirect in your SPF record more than once results in a verification failure.
- The verifying server checks the SPF record for mail.example.com.
v=spf1 redirect=mail.example.com