When you hear the term “Sender Policy Framework” (SPF), it doesn’t sound too sexy or worthwhile for your business to send emails. It doesn’t scream urgency or flaunt tangible benefits for you. I hear you. Typically, emails are just supposed to … uh, work … but for an odd reason, some people can’t seem to receive your messages no matter how hard you try.
In this post, I’ll explain the ins and outs of SPF so you can improve your email deliverability. I’ll try to keep this accessible even for people newer to email marketing. If you have questions, let me know in the comments and I’ll help.
How did we get to this point?
Email, in itself, is not a secure method of communication. Messages can be forged, even with good reason, to recipients. To combat email phishing and other abuses with email, the email industry enacted Sender Policy Framework as a simple and reliable way to authorize which email servers are permitted to send mail on another domain’s behalf.
SPF is an email authentication protocol, or a set of standards and practices, that allows website owners to explicitly permit and reject who can send email on their behalf. For those using another email service to send emails “from” their website, they are strongly urged to adopt SPF to permit it. They can always try to send email no problem, but more and more recipients are known to restrict unauthenticated email. And when someone doesn’t receive your emails, this might be why.
In short, SPF is needed to prevent many forms of spam and phishing. It might still happen, but SPF (along with DKIM) put a massive dent into the forged emails that have been sent.
Why would I want another email server to send email from my website?
The best way to explain this is to think about this common scenario:
- I own the domain acme.com
- I use Gmail for my email.
- I want to send emails from Gmail as [email protected].
To do this, you would need to configure acme.com to allow Gmail to send email on your behalf.
Another scenario, which isn’t too distant from one I just described is this one:
- I own the domain joemanna.com
- I use a marketing service like Infusionsoft to email my customers.
- The From address on those email messages is “[email protected]”
For this scenario, an email marketing service (Infusionsoft) needs permission to send email from your “From” address. It’ll still work, but the recipients on the other end will actually double-check that your email marketing provider is allowed to send mail on behalf of you.
Anytime another email service sends email from your domain, you would want SPF to tell other email servers that everything is all good and safe to accept email from you.
Can you show me what actually happens with and without SPF?
I’ll outline the process that’s going on behind the scenes. In essence, SPF is strictly focused on the questions in yellow.
What are the nuances of SPF?
SPF is all about email authentication, so it’s good to know what could happen once you configured it. If you send email through multiple email services, you need to indicate that. You also should (for testing purposes) use a “soft-fail” indicator (~all) as opposed to a “hard-fail” indicator (-all). This means if you didn’t configure SPF correctly, your messages could still make it to many recipients.
Think about all the different ways you or your company sends email. The riskiest, but easiest way to find out is to implement SPF and wait and see who complains. I don’t recommend this for a full-functioning business, but for your personal site or a small, small business, it’ll be okay. Keep in mind that after implementing SPF, email difficulties may result if you didn’t configure your SPF Record appropriately.
How to setup your SPF Record
SPF Records are managed through the Domain Name Service (DNS) records of your domain. That is, they are important. Before proceeding, you should be at least mildly comfortable editing and updating a few fields in your DNS. If you have a web developer or an IT person in reach, definitely talk to them first because this is a little technical.
- First, generate your SPF record syntax. Use any of these free tools (1, 2, 3, 4). You should have knowledge of the actual domains or IPs that you use to send email. If you send email from Gmail, you will want to use _spf.google.com. For Infusionsoft, use infusionmail.com. If you aren’t sure, check your email service’s documentation for details. As a friendly tip, if you also use mail servers previously configured on your domain, be sure to make sure “mx” is included in the syntax.
- Access your Domain Registrar. Typically, you’re using their DNS records. There might be special cases where you are using another DNS record (e.g., Cloudflare). If so, log into the service that holds your DNS records. For instance, if you bought your domain from GoDaddy, sign into your GoDaddy account. If you’re still not sure, don’t proceed and seek technical guidance from your web hosting company – they will point you in the right direction.
- Find your DNS Records. This varies greatly depending on the registrar. For first-timers, you can search their support documentation for “SPF.” It’s likely that their written tutorials are better than mine, which will show you how to implement SPF. Here are links to popular registrars’ help articles:
- Add a TXT (text) record with the appropriate SPF Record syntax. The wizards linked in Step #1 help you use the proper syntax. Copy and paste the whole line including apostrophes. Save your TXT record.
- If your DNS server supports it, also add an “SPF” record with the same contents as above. Not all offer this capability, but it’s a best practice to use it if your DNS does offer it.
- Verify that your DNS records are properly configured confirming them with MXToolbox or Online Domain Tools. These diagnostic services will output exactly what is listed for your DNS records. It may take a moment for your DNS to be updated, but these tools are designed to grab the latest, fresh records.
- Send a test email to your Gmail account. Within Gmail, view the original message (which includes the full email headers). Do a CTRL + F to find “SPF: pass” in your headers. If you see “SPF: hardfail” or “SPF: softfail,” you will need to diagnose the SPF Record further.
- For further diagnostics on your email authentication, send a blank message to either of these email addresses. It will bounce back details on how other email servers perceive your email. You’re looking for an SPF: Pass. If so, you’re done!
Once you setup SPF the first couple times, it becomes pretty easy. Ask yourself, “What servers are allowed to send email on behalf of this domain?” When you follow that logic and account for all your email services, you’ll be covered. Of course, if you’re not sure, it’s completely fine to ask your email service provider or web developer to confirm if you have SPF configured properly. They will be happy that you’re concerned with your email authentication.
If you create websites for clients, I encourage you to ask them what they use to send email and ask probing questions if they use an email marketing service. Doing this early on will make clients happy so they don’t have diminished email deliverability and saves you from a late-night troubleshooting call.
This post is a part of my 60 days of blogging. Read more about #60DOB.
Photo Credit: Coletivo Mambembe