How to configure SPF
How to configure SPF
(Sender Policy Framework)
What is SPF?
SPF is an email authentication protocol that allows a domain owner to specify which mail servers it uses to send email from.
Why should I configure SPF?
An SPF-protected domain is less attractive to phishing attacks, preventing your email domain from being impersonated and thus securing legitimate emails.
The lack of an SPF record can lead to spoofing attacks, allowing hackers to cheat people making them provide sensitive information and even pay fake bills. As these attacks try to impersonate a legitimate sender, such as an executive, employee, or a third party using a valid domain, they are more difficult to detect.
Setting SPF provides additional security and prevents your domain from being abused or spoofed.
STEP 1: Create your SPF record
- Start with SPF versión 1 with "v=spf1"
- If the main IP of the domain will be used to send emails add "a"
- Add the IP addresses that will be allowed to send emails using your domain under the tag "ip4"
- Add any third-party domains that send email from your domain under the tag "include"
- Decide how strict you want your policy to be and add the corresponding tag to the end of the record:
• "-all" Fail: servers not listed in the SPF record are not allowed to send email for that domain (non-compliant emails will be rejected).
• "~all" Softfail: If the email is received from a server that is not on the list, the email will be marked as softfail (emails will be accepted but marked).
• "?all" Neutral: Do nothing; do not flag email. This is normally reserved for testing purposes and is not recommended for your email servers.
Your SPF record should look something like this:
v=spf1 ip4:10.0.0.1 a include:thirdparty.com ~all
If you are using any of the following mail service providers, you must add the following SPF record:
| Provider | SPF Registration |
|---|---|
| Gmail | v=spf1 include:_spf.google.com ~all |
| Mailgun | v=spf1 include:eu.mailgun.org ~all |
| AOL | v=spf1 ptr:mx.aol.com -all |
| Zoho | v=spf1 mx include:zoho.com -all |
STEP 2: Publish your SPF in DNS
In general, the steps to follow are:
- Go to your domain hosting provider
- Navigate to DNS settings
- Create a new TXT record
- Set the Host field to your domain name
- The TXT value will be your SPF record
- Set the TTL (Time to Live) to Auto
- Click on "Save" or "Add record"
You can choose from the list that appears below your hosting provider and see more instructions on how to publish your SPF record.
- Cloudflare - https://support.cloudflare.com/hc/en-us/articles/360019093151
- 123.reg - https://www.123-reg.co.uk/support/domains/how-do-i-set-up-a-txt-record-on-my-domain-name/
- GoDaddy - https://www.dmarcanalyzer.com/dmarc/dmarc-record-setup-guides/dmarc-setup-guide-godaddy/
- BlueHost - https://www.dmarcanalyzer.com/dmarc/dmarc-record-setup-guides/bluehost-dmarc-setup-guide/
STEP 3: Test and verify
Changes usually take a while to propagate, we'll do a new scan on your domain overnight to check your SPF record.
Thanks for reading this tutorial.
If you have any questions or comments about this tutorial, please contact us through our chat or send us an email to contact@cyberguardian.tech