Email Authentication Series: Episode 2 – SPF

Email authentication can sound more complex than it is, especially if you are unfamiliar with the terminology. To get the most out of this article, we recommend first checking out:Email Authentication: an introduction and glossary

Okay, all caught up? Great.

Let’s get started: here’s how you can go about authenticating your email domain with SPF.

1. What is SPF? ⚡ #

When receiving an email, there are four types of response a server can have.

A) “These emails are authentic – let them in!”

This means your SPF records are all up-to-date, and the email arrives, as normal, for customers to enjoy.

B) “I don’t know what to do with these emails – I don’t recognise them. I’m going to keep an eye on them.”

These emails are SPF-neutral. They don’t automatically go to spam, but they’re flagged as untrustworthy.

C) “I don’t trust these emails. I’ll make them wait, and decide what to do later.”

These emails are SPF-softfails. They go to spam, and your customers are likely to miss them.

D) “I don’t like these emails at all. They shall not pass!”

Spf-hardfail: when your emails bounce, and never arrive at all.

Aim for the first of these scenarios.

The first step to achieving this is verifying all of the email servers that use your domain, so that they are not stopped at the door.

That’s where SPF comes in.

In short, you must provide your Domain Registrar (the place you bought your domain from) with a list of all the servers it can trust. This is a process called ‘Setting up an SPF record’. 

2. Setting up an SPF record⚡ #

1. Login to your domain registrar’s control panel
   
   If you don’t know your domain registrar, scroll back through your emails and find billing records about registration
2. Navigate to your DNS settings page
   
   (DNS= Domain Name System). Although each registrar will have slightly different layouts, you should search for the ‘MX records’. This will provide you with a list of the servers which send emails from your domain, using their MX address
   
   Find these servers’ IP addresses, and make a note of all of them
3. Also make a note of third-party and extension apps that you want to authorise
   
   This includes your email delivery host (e.g. Klaviyo, or MailChimp)
4. Navigate to ‘DNS management’ section of the control panel
5. Select the option which, on your registrar’s page, represents ‘Create new TXT record’
   
   It might say exactly that, or it might be a variation on the theme
6. Set the ‘Host’ field to your domain name
7. In the ‘Value’ field, start to type the code
   
   The code is what will give your server the instructions it needs to segment senders into ‘safe’, and ‘unsafe’First, type, ‘v=spf1’
8. Then type in one of the following:
   • ‘a’ to authorise any server in the domain’s ‘a’ record to send mail
   • ‘mx’ to direct the system to authorise an address using the MX record
   • ‘ip4’ to authorise any sender from the included ipv4 address range 
   • ‘ip6’ as above, but for addresses in the ipv6 range.
9. Follow it with the IP addresses you collected earlier.

v=spf1 ip4: 34.243.61.237 ip6:2a05:d018:ec00

11. Type in a tag for any third-party organisations that send emails on your behalf.

v=spf1 ip4: 34.243.61.237 ip6:2a05:d018:ec00include:thirdpartydomain.com

12. Finally, end your code. This is the bit that gives the server its instructions. Type in:

1. ‘-all’ : servers that are not listed in the SPF record are hard-failed and will bounce
2. ‘~all’ : servers that are not listed will be marked out, but still accepted. They’ll end up in spam

v=spf1 ip4: 34.243.61.237 ip6:2a05:d018:ec00include:thirdpartydomain.com ~all

3. KEY⚡ #

• version=spf1
• Category of the following IP addresses
• The IP addresses
• Third parties to verify
• The instruction about what to do with the listed senders

It’s worth knowing this information, so that you can verify any codes you use. However, to get you started, there are many tools on the internet that can generate SPF records for you.

4. What SPF can’t do⚡ #

SPF is a great tool for authenticating your email domain. But it cannot:

• Encrypt Messages
• Provide Privacy Enhancements
• Generate Reports
• Verify servers when an email is forwarded- this breaks the SPF because the forwarder is now the sender
• Provide fool-proof protection

SPF alone isn’t enough. It’s a layer of protection, helping your messages to reach the intended recipient. But, if you want your domain to be fully authenticated, you’ll need to consider the other two methods, too.

Luckily for you, we’ve written articles like this one, to help you get started:

13. Email Authentication Series – Episode 2- DKIM
14. Email Authentication Series – Episode 3- DMARCs

Of course, if you want to chat to us about this process, we’re always happy to help. Send us a message today, and let’s collaborate.