Did you know that email phishing has surged by 350% over the last year, with 1 out of 3 companies experiencing email scam incidents? Verifying SPF records is crucial to avoid missing legitimate email servers and surpassing the maximum DNS lookups. GoDMARC offers a free SPF record checker tool. Moreover, the GoDMARC Dashboard sends alerts/ notifications to customers if SPF lookups exceed limits or if any alterations occur in SPF records.
Each time an email server receives a message, it checks SPF records. SPF adds an extra layer of protection by helping servers determine if emails come from the IPs listed in the sender's SPF record. If they don't match, the server moves on to DKIM. If both SPF and DKIM fail, the DMARC policy determines whether the email is accepted or rejected. Not having SPF records for your emails could lead to them being marked as spam, potentially impacting the success of your corporate or marketing email efforts.
If the SPF record ends in "-all," it indicates that the domain owner has set a strict policy. The recipient's mail server should reject emails that don't come from an IP address listed in the SPF record. This helps prevent unauthorized emails, like those from spoofed addresses, from being delivered.
Example SPF record with a hard fail:
v=spf1 ip4:192.168.1.1 -all
In the above case, the minus sign (-) before ‘all’ indicates that all emails from senders whose IPs are not listed in the SPF record shall be deemed as ‘Hard Fail,’ i.e., unauthorized, and should be discarded immediately. Mails from the IP address '5:162:178.2.3' only shall be considered legitimate and must be validated.
If the SPF record ends in "~all," it shows that the domain owner has a more lenient policy. The recipient's mail server should label emails that don't come from an IP address listed in the SPF record as "possibly" unauthorized but won't outright reject them. This approach is less strict and is chosen when the domain owner isn't ready to enforce a strict rejection policy yet.
Example SPF record with a soft fail:
v=spf1 ip4:192.168.1.1 ~all
In the above case, the tilde sign (~) indicates that all IP addresses that are not listed on the SPF record created by you shall be considered ‘SoftFail,’ i.e., categorized as ‘SPAM’ or ‘Suspicious’ and would be notified to the recipient. In the above case, the SPF record authorizes the sender SMTP server to send mails. Emails coming from other domain servers other than listed source shall be categorized as SPAM.
Note: The recipient server may not honor the request despite your notification.
In simple terms, a hard fail (-all) policy means that if the SPF check fails, the email should be rejected outright. On the other hand, a soft fail (~all) policy means that the email should be considered potentially suspicious but not automatically rejected.
The maximum limit for DNS lookups in SPF records is 10. This means that when a receiving email server checks the SPF record for a sending domain, it will follow up to 10 DNS. If this limit is exceeded, the receiving server might see the SPF record as a PermError, indicating a permanent error in the SPF record syntax or DNS lookup process. IPs that fail or show PermError are displayed in the DMARC RUA Reports of GoDMARC.
To prevent reaching the SPF record lookup limit, it's crucial to ensure that the SPF record stays under the limit of 10. You can easily do this by choosing GoDMARC's Dynamic SPF. GoDMARC continuously monitors, updates, and removes IP addresses whenever changes are noticed in the IP pools or SPF records shared by ESPs.
How does SPF Records looks like and meaning of various Tags
v=spf1 a mx include:_spf.yourdomain.com ip4:192.168.1.1 -all or ~all or +all
v: Defines the SPF record version. It should always be set to "spf1" for SPF version 1. Example: v=spf1
a: Specifies the domain's A record that is authorized to send email.
Example: a:example.com
mx: Specifies that the domain's MX (mail exchange) servers are authorized to send email.
Example: mx
ip4: Specifies an IPv4 address or range of addresses that are authorized to send email.
Example: ip4:192.168.1.1
include: Includes SPF records from another domain. This is useful for including SPF records from third-party services that send email on behalf of your domain.
Example: include:example.com
all: Specifies the default action for emails that do not match any of the preceding mechanisms. It can be set to one of the following:
+all: Pass (accept) all emails, regardless of SPF check result.
-all: Fail (reject) all emails that do not match any other mechanism. This is the most strict setting.
~all: Soft fail. Emails that do not match any other mechanism are marked as suspicious but not rejected. This is less strict than -all.
Example: -all
These are the most common SPF record tags used to define SPF policies. Check your SPF record
Learn How Specifically Can You Gain Control Over Your Email with Customized DMARC Solutions
Talk to an Expert