What is an SPF record, and what is it used for?

Sender Policy Framework (SPF) is actually an e-mail validation system designed to prevent e-mail spam by addressing a common susceptibility to get attacked.

The main design intent of the SPF record is to allow a receiving MTA (Message Transfer Agent) to ask the nameserver of the domain which appears in the email (sender) and check if the originating IP of the mail (source) is authorized to send mail for the sender’s domain. The mail sender is required to publish an SPF but the sending MTA is unchanged.

SPF allows administrators to specify which hosts are allowed to send e-mail from a given domain by creating a specific DNS SPF record in the public DNS. Mail exchangers then use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain’s administrators.

If a SPF (TXT) exists and authorizes the source IP address, the mail can be accepted by the MTA. But if the SPF does not authorize the IP address the mail can be bounced this is when it does not originate from an authorized source for the sender’s website.

The SPF data is entirely contained in the text field , here the SPF defines the contents of the quoted string as follows:

V = spf1 [pre] [type] …. [mod]

v = spf1

It defines the version being used.


This is an optional field (defaults to +). pre defines the code to return when a match occurs. If a test is conclusive either add + or omit (defaults to +). If a test is not completed successfully use "?" or "~" (tilde). "-"(minus) is typically only used with -all to indicate that if we have had no previous matches – fail.


These types specify a verification mechanism system.

ip4 – use IP Version 4 addresses, for example,

ip6 – use IP Version 6 addresses for verification, for example, 20:43:dc4::20

a – uses A Record

mx – uses MX Record

ptr – uses PTR Record

exists – tests for existence of domain


a — uses the sender-domain to find an A Record to verify the source.

a:domain — This replaces sender with domain’s A Record for verification. This does NOT use domain’s SPF record.

a:domain/cidr — It applies the cidr range to the IP address obtained from the A query

a/cidr — It applies the test to the cidr range of the senders A Record.

mx ,mx:domain,mx:domain/cidr,mx/cidr

This basic form without any extensions uses the MX Record of the sender to verify the mail source-ip. The MX record return a host name from which the A record can be compared with the source-ip. The form mx/cidr applies the IP Prefix or slash range to the A Record address.. With any of the domain extensions the MX record of the designated domain is used for verification.

ptr ,ptr/domain

The form ptr:domain replaces the sender-domain with domain in the final check for a valid domain name.

ip4:ipv4 , ip4:ipv4/cidr

If the source-ip is the same as ipv4 the test passes. May optionally take the form ip4:ipv4/cidr to define a valid IP address range using the slash or IP Prefix notation.

ip6:ipv6 ,ip6:ipv6/cidr

If the source-ip is the same as ipv6 the test passes. May optionally take the form ipv6/cidr to define a valid IP address range. For more info on CIDR.


The existence (any valid A Records) of the specified domain..


Two optional record modifiers are defined. If present they should follow the last type directive i.e. after the all. The current values defined are as follows:

Redirect = domain

Functionally equivalent to include but can appear on its own or can placed after the all which means "if all the previous test fail try this redirect".

Exp = txt-rr

The exp record if present should come last in a SPF record (after the all if present). It defines a DNS name whose TXT record’s text may be returned with any failure message.

We can also set SPF records in Cpanel by doing the following steps:

1. Login to Cpanel.

2. Go to the Mail section, and click on Email Authentication.

3. Click on the Enable Button to activate SPF for the domain.

Leave a Reply