Skip to content

Do you have the right SPF for your emails?

Anyone with their own domain name for email needs to make sure their SPF setting is correct.  These days not just recommended, it’s critical to ensuring email reaches its destination.

We’re not talking about sunscreen but Sender Policy Framework which is a method of verifying that emails for a domain name come from an authorized computer.

If you have your own domain name, make sure your SPF record is correct.  If the SPF is wrong your messages might be refused by other mail systems.

Victor, our Office Watch manager, discovered the new importance of SPF in the last few days. Just a small mistake in the SPF record meant some emails were being refused and not delivered to the customer expecting them.

SPF has become more important, if not critical to reliable email delivery. A wrong or missing SPF was once a bad idea but would not stop emails getting through. Now some mail hosts are using SPF failure as the sole reason to refuse a message. The intended recipient doesn’t know the message was refused and it doesn’t show up in a Spam/Junk Email folder.

Checking your SPF

This only applies to people sending emails from their own domain name (a business, organization, family  or individual).  Anyone using a shared mail system (Gmail, etc) or email via an Internet provider (ISP) does NOT need to think about SPF because it’s handled by the mail host.

  1. Check with your mail host (who sends and receives emails for your or your domain) to see what they recommend for SPF settings. Some mail hosts have a tool to check the SPF and ensure its correct.
  2. Go to your domain / DNS settings to make sure you have an SPF record and the settings are correct. Look for a TXT record with a Value beginning with ‘v=spf1’.

And alternative is an SPF testing tool such as MXToolbox which checks the SPF record for errors.

  1. Compare your SPF record with the ‘include:’ recommendation from your mail host.
    If several systems send emails for the domain, there can be multiple recommended ‘include:’ values to merge into a single SPF record. The order of the ‘include:’ values does not matter.
    There’s also a ‘redirect:’ value which points to another domain’s SPF record for information.  That’s often used by mail hosts who service many different domains.

Office 365 hosting

If your mail is hosted by Microsoft via Office 365 hosting then checking the SPF is simple.

If your DNS record is managed by Microsoft, then SPF is setup automatically.

If the DNS nameservers are elsewhere, there’s a service to check for DNS errors including SPF.  In Office 365 Admin go to Setup, Domains then click on the domain.  Wait for Microsoft to check the DNS record and, hopefully, you’ll see ‘Expected record’ with a green tick for the v=spf1 line.

About SPF

Sender Policy Framework is a way to guard against phishing; fake emails that pretend to come from banks and other companies.

It’s been around for many years but SPF was used as just one indicator that a message might be spam. The popular SpamAssassin system gave a message with bad SPF a score of about 4.5 where a total score over 5 meant the message was probably spam.  In other words, failing an SPF test wasn’t the only factor needed to determine of a message was good or not.

As has explained many times, detecting spam isn’t easy for software.  Spam detection works only with probabilities not certainties.  Some messages are easily detected as good or bad but there’s a middle/grey area where the message could be wanted or not. An aggressive spam filter sounds great to many people, but that tougher approach increases the risk of genuine/wanted messages being refused with no indication to the recipient.

What’s changed in the last year or so is the reliance on SPF. Some, but not all, mail hosts are treating SPF as a requirement for accepting emails.  If the incoming message doesn’t come from an SPF listed source, the message is rejected outright by the SMTP server.

How SPF works

SPF is part of the domain name details. For any domain name, systems can lookup important details like where the web site is, where to send emails and other details.

The SPF record tells anyone on the Internet what computers are allowed to send emails for that domain. Here’s an example with two systems authorized to send emails:  a computer with specific IP address and another domain (probably a mail host).

v=spf1 ip4: -all 

-all’ means that no other systems are allowed to send emails on behalf of that domain.

What about DKIM?

DKIM or DomainKeys Identified Mail is another email verification system that’s often setup and used in conjunction with SPF.

It’s also setup in the DNS record, look for a TXT record that includes _domainkey in the name.

About this author

Office Watch is the independent source of Microsoft Office news, tips and help since 1996. Don't miss our famous free newsletter.