SPF Record Syntax
October 11, 2023 | 3 min read
An SPF record is made up of several parts. The first part should always be the version number, and after that, you can define valid senders with one or more mechanisms. SPF Record syntax is defined in detail in RFC 7208.
The following is a summary of the syntax:
The SPF record is a text record placed in the TXT DNS Record for a domain. An SPF record is made up of several parts. The first part should always be the version number, and after that, you can define valid senders with one or more mechanisms. The mechanisms and modifiers are separated by space. Each mechanism starts with a single letter, and each modifier starts with a single letter followed by an equals (=) sign.
Mechanisms
Mechanisms either allow or deny the use of an IP address for sending mail from a particular domain. The following are the available mechanisms:
| Mechanisms | Description | Example |
|---|---|---|
| A | The A qualifier matches an IP address and is used to allow/deny mail from a specific IP address. | v=spf1 a -all |
| IP4 | The IP4 qualifier matches an IPv4 address and is used to allow/deny mail from a specific IPv4 address. | v=spf1 ip4:192.168.0.1 -all |
| IP6 | The IP6 qualifier matches an IPv6 address and is used to allow/deny mail from a specific IPv6 address. | v=spf1 ip6:fe80:: -all |
| PTR (Not Recommended) | The PTR qualifier matches a hostname, which is looked up via a reverse DNS lookup. The PTR qualifier is used to allow/deny mail from a specific hostname. | v=spf1 ptr:example.com -all |
| MX | The MX qualifier matches a hostname, which is looked up via a DNS MX Record lookup. The MX qualifier is used to allow/deny mail from a domain’s mail server. | Example: v=spf1 mx -all |
| Include | The include modifier is used to include another SPF Record syntax in the SPF Record. The included SPF Record is looked up via DNS and evaluated as if it were part of the SPF Record. | v=spf1 include:example.com -all |
| exists | The exists modifier is used to perform a DNS lookup, and matches if a DNS record is returned. The exists modifier is used to allow/deny mail based on the existence of a DNS record. | Example: v=spf1 exists:example.com -all |
Modifiers
Modifiers are separated by spaces, and each modifier starts with a single letter followed by an equals sign. Modifiers are used to modify the action taken when a qualifier matches. The following are the available modifiers:
| Modifiers | Description | Example |
|---|---|---|
| redirect | The redirect modifier is used to redirect a query to a different SPF Record. The redirect modifier is used when a domain wishes to delegate the SPF Record syntax to another domain. The redirect modifier is only supported by newer versions of SPF. | v=spf1 [redirect=example.com](http://redirect%3Dexample.com/) |
| exp | The exp modifier is used to explain an error condition. The exp modifier is used to provide a more detailed error message if a query fails. The exp modifier is only supported by newer versions of SPF. | v=spf1 -all exp=badhost |
Action
Action is the final element of an SPF Record. Actions are separated by spaces, and each action starts with a single letter. The available actions are:
| Action | Meaning | Example |
|---|---|---|
| +all | Allow all IPs to send email (not recommended) | v=spf1 +all |
| -all | Deny all mail, this is used if domain doesn’t send mail at all | v=spf1 -all |
| ~all | Allow domain’s specified MXs to send mail for the domain, denies all others | v=spf1 mx ~all |
| ?all | This action is used to neutralize the result of the SPF Record. | v=spf1 mx ?all |
More in-depth information about SPF failure results here
Maximum Number of Lookups
In order to prevent DNS lookups from becoming infinite loops, SPF will perform a maximum of 10 DNS lookups. If an SPF Record contains more than 10 DNS lookups, then the SPF Record is considered invalid.
A DNS lookup is done when you query for one of these mechanisms:
- a
- mx
- ptr
- include
- exists
Please note that the ‘nested lookups’ will also count. If an ‘included’ domain does an A and MX lookup, these will both count as lookups for your domain as well.
Conclusion
Skysnag’s automated SPF software has been developed to help verify the identity of an email sender and protect your domain from phishing attacks while taking care of your email deliverability. Get started with Skysnag by signing up using this link for a free trial today and maintain a healthy domain.
You might be interested in reading:
Check your domain's DMARC security compliance
Enforce DMARC, SPF and DKIM in days - not months
Skysnag helps busy engineers enforce DMARC, responds to any misconfigurations for SPF or DKIM which increases email deliverability, and eliminates email spoofing and identity impersonation.