What is SPF?

SPF stands for Sender Policy Framework.

It tells the world who you trust to send emails on your behalf.

More importantly, it tells the world what to do when someone who you don’t trust sends an email that appears to be from you – either to accept it, or to throw it in the trash.

Who Needs SPF?

In short, everyone! You can’t do any harm by having an SPF record that’s correctly set up.

But have an SPF record that’s not set up correctly and you could be seriously reducing the likelihood that your audience will receive your emails!

Infusionsoft Users Take Note!

If you use Infusionsoft, it’s vital you have an SPF record telling the world you trust Infusionsoft to send emails on your behalf.

Anecdotal evidence suggests that as many as 90% of Infusionsoft users either don’t know what an SPF record is, don’t have one, or don’t have it set up correctly!

This really frustrates me, because it’s one of the simplest ways you can improve the chances of getting your emails to the inbox.

How Does SPF Work?

There are a few acronyms in here – don’t panic if it sounds complicated, it’s not really, but you might want your web person to look at this if you don’t understand it!

The Domain Name System, known as DNS, is a world-wide directory that stores all the information needed to communicate with websites, email servers and much more. Every website and email server in the world has a DNS entry. An SPF record is just a text entry stored in the DNS that has to be created in a very specific format.

Let’s suppose that I send an email from adrian@adriansavage.co.uk – my recipient’s email server will look in the DNS to see if there’s a text record linked to adriansavage.co.uk

What Does An SPF Record Look Like?

Here’s what my SPF record looks like (it’s probably broken across two lines on your screen):

adriansavage.co.uk.    TXT    "v=spf1 mx include:_spf.google.com include:infusionmail.com include:spf.mandrillapp.com ~all"

Let’s break this down into chunks:

adriansavage.co.uk. That’s the domain we’re sending the emails from. It should normally end with a period (.). In some cases, your Internet hosting might replace your domain name with an @ sign.
TXT This tells the DNS that it’s a text record.

Everything in quotes is the content of the text record and I’ll break that down next:

v=spf1 This just tells us that this SPF record is being written to follow Version 1 of the SPF standard. Right now, that’s the only version.
mx This tells us that we should trust any emails that come from the mail server (MX means “mail exchanger” for the domain in question).
include:_spf.google.com This tells us to include Google’s SPF records and trust Google’s mail servers. This is because I use Google Apps for Work for my emails.
include:infusionmail.com This tells us to include Infusionsoft’s SPF records and trust their mail servers.
include:spf.mandrillapp.com This tells us to include Mandrill’s SPF records and trust their mail servers.
~all This is the most important part – it tells us what to do if an email is received from a mail server that’s not listed in the SPF record.

In this case, we’re saying that it’s a “soft fail”, which means that it should be treated as suspect but not discarded. In most cases, this will mean that emails received from untrusted servers will go into the junk/spam folder.

What Should My SPF Record Look Like?

If you’re just using Infusionsoft, the content of your SPF record should look like this:

"v=spf1 mx include:infusionmail.com ~all"

If you’re using Infusionsoft and also using Google Apps for Work to manage email for your own domain, you should include the Gmail SPF settings as well:

"v=spf1 mx include:infusionmail.com include:_spf.google.com ~all"

If you’re using additional services to send email, they also need to be listed on the same line – check their documentation to be sure that you use the correct wording.

I’d always recommend you use ~all rather than -all at the end of the content of your SPF record.

By specifying ~all, you’re dropping a strong hint that untrusted mail should go into the spam folder. By specifying -all instead, you’re dropping a strong hint that untrusted mail should be deleted completely.

Note that I use the word “hint” advisedly – every mail provider might interpret the SPF instructions slightly differently and if in doubt, you should test.

How Do I Publish My Own SPF Record?

You need to log into your web hosting or domain hosting provider’s control panel and edit your DNS settings there. This isn’t for the faint-hearted, as you can break things in there! So if you’re not sure what you’re doing, ask the person who’s responsible for your website or techy stuff to help out – or ask your hosting provider for help.

What Are The Most Common Mistakes?

Apart from not having an SPF record at all, the most common mistake people make is having two SPF records! This just confuses and breaks everything – don’t do it!

Another mistake people make is listing services in their SPF record that they don’t actually use to send email. And there is a limit to what you can put in an SPF record – not strictly the number of entries, but the number of additional DNS lookups that will be required to interpret the record. So keep it as short as you can!

Also, you might see that your Internet provider allows you to create an SPF record as well as a TXT record. I strongly advise that you stick to a TXT record, as use of the SPF entry is now deprecated – see here for more information.

Where Can I Find Out More?

If you need to learn more about SPF, check out the following resources:

Wikipedia SPF Entry

Infusionsoft SPF Record documentation

Adding DNS records using GoDaddy