How to Setting Up an SPF Record

Although you do not need an SPF record on your DNS server to evaluate incoming email against SPF policies published on other DNS servers, the best practice is to set up an SPF record on your DNS server. Setting up an SPF record lets other email servers use SPF filtering (if the feature is available on the mail server) to protect against incoming email from forged (spoofed) email addresses that may be associated with your mail server. As SPF records are implemented more widely, SPF filtering will become more effective at identifying spoofed email messages.

About SPF records

SPF records, like MX, A, and PTR records, are included at the DNS domain tree level. These records identify authorized SMTP servers for each domain.
An SPF record consists of the SPF version number followed by strings comprised of mechanisms, prefixes, and modifiers. SPF clients ignore TXT records that do not start with the version string v=spf1.
SPF records are evaluated in a two pass process. First, all mechanisms and prefixes are evaluated, then all modifiers are evaluated. Mechanisms are evaluated from left to right. Modifiers are evaluated on the second pass and can occur anywhere in the record. A generic SPF record takes the format of:
version ([prefix] mechanisms) (modifiers)

SPF Parameters	Description
v=spf1	SPF version number
all, include, a, mx, ptr, ip4, and exists	Mechanisms. Use one or more in a record string.
"+", "-", "~", and "?"	Prefixes. Precede mechanisms. If a prefix is not included, "+" is implied.
exp	Modifiers. Use 0 - 2 in a record string.

An example SPF record is:
v=spf1 +a:mail.domain.com/16 +mx +ptr include:anotherdomain.com redirect=exampleredirect.com exp=spf-error -all
This SPF record includes three directives made up of prefixes and mechanisms:

• +a:mail.domain.com/16
• +mx
• +ptr
• -all

and two modifiers:

• include:anotherdomain.com
• exp=spf-error

Mechanisms identify IP addresses that are authorized to send email from a specified domain. You can use zero or more mechanisms in an SPF record string. Mechanisms usually contain ":" or "/" characters and are case-sensitive. Directives that do not contain "=", ":", or "/" are also mechanisms. Following are mechanism descriptions:

SPF Mechanisms	Description
all	Matches all local and remote IPs and goes to the end of the SPF record. Example:v=spf1 +all
include	Specifies other domains that are authorized domains. Example:v=spf1 include:domain.com -all
a	Specifies all IPs in the DNS A record. Example: v=spf1 a:domain.com -all
mx	Specifies all A records for each host's MX record. Example: v=spf1 mx mx:domain.com -all
ptr	Specifies all A records for each host's PTR record. Example: v=spf1 ptr:domain.com -all
ip4	Specifies a single IP or an acceptable IP address range. /32 is assumed if no prefix-length is included. Example:v=spf1 ip4:192.168.0.1/16 -all
exists	Specifies one or more domains normally singled out as exceptions to the SPF definitions. An A query is performed on the provided domain, if a result is found a match occurs. Example:v=spf1 exists:domain.com -all

Prefixes designate whether IP addresses pass or fail the SPF lookup test:

SPF Prefixes	Description
+	Pass. The address passed the test. Example:v=spf1 +all
-	Fail. The address failed the test. Example:v=spf1 -all
~	Softfail. The address failed the test, but the result is not definitive. Example:v=spf1 ~all
?	Neutral. The address did not pass or fail the test. Example:v=spf1 ?all

Modifiers provide additional SPF query information and can branch SPF processing. They always contain an "=" character and are case-sensitive. SPF includes two possible modifiers, each can be used once:

SPF Modifiers	Description
redirect	Sends inquiry to another domain. Example: redirect=exampleredirect.com
exp	Sets up an explanation in the SPF record. If an SPF query produces a FAIL result, the explanation is queried and the explanation string provides more information to the nonconforming user. The explanation is typically placed in an SPF log. Example: exp=spf-error