What is SPF?
SPF stands for Sender Policy Framework and is an email autentication method. It helps the receiving mail server to verify whether an email have been sent from an allowed email server or not.
Your SPF policy is set up by publishing it in the form of a TXT record in your DNS. It works as an allow list for your domain and you declare where emails from your domain can originate from. Worth to mention is that this policy doesn’t prevent spoofed emails from being sent, but it allows receiving email servers to verify if the email was sent from a legit source.
How to configure SPF?
You configure SPF by adding a TXT record to your DNS. Begin your spf record by adding the protocol version and version 1 (spf1) is currently being used:
Then add the IP adresses or other SPF-record that you want to include. For example:
Add a specific IP address:
Or include another SPF-record, for example the record for Microsoft Exchange Online:
Lastly add the instruction to receiving email servers on how to act if the sender address is not included in your SPF-record. The most common way is to set it to “StrictFail” which means that you instruct the server to reject the email.
So in this case the SPF record would look like this:
Verify your SPF-record
When you have created your SPF-record it’s a good idea to verify that everything looks good. There are many different ways to inspect your SPF-record, you can either use an online tool like mxtoolbox or dmarcadvisor or you can check it manually.
Verify with MXToolbox
Open your browser and browse to https://mxtoolbox.com/SuperTool.aspx and enter the domain your want to inspect and then press “SPF Record Lookup”:
Verify with Dmarcadvisor
Open your browser and browse to https://dmarcadvisor.com/spf-check and enter the domain name your want to inspect and then press “Check SPF”:
Verify with Powershell (Windows)
Resolve-DnsName -Type TXT -Name tzusec.com
Verify using Linux
dig +short tzusec.com txt