What is an SPF record?

Let’s be honest, if you’re here then you probably know what an SPF record is and why it’s important. But it does no harm to have a quick refresher and clear-up a few myths or misunderstandings.

A quick refresher

Whenever you send an email to someone, their email server will lookup your SPF record as one of many ways in which to try and determine whether the email is genuine or whether it’s spam.

If you don’t have an SPF record, if your SPF record is too relaxed, or (even worse) if your SPF record is wrong, then it’s highly possible that your email will be flagged as spam. This is especially the case for marketing emails which tend to “look spammy” to many email servers.

If you use Microsoft Office 365 for email then you probably already have an SPF record that looks something like this:

“v=spf1 include:spf.protection.outlook.com -all”

That’s a quick & easy SPF record and tells any receiving email server that emails sent from your domain name, through Office 365, should be considered valid and genuine.

Now let’s assume you also use MailChimp to send some marketing emails. MailChimp use their own email servers to send your marketing emails of course, so they’ll tell you to to add their SPF record to your SPF record as well. So now your SPF record looks something like this:

“v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all”

And finally let’s assume that your website has an online store from where your customers can purchase your products or services. The online store needs to send order confirmation emails, or password reset emails. And you use AuthSMTP.net to handle that so you’ll need to add AuthSMTP’s SPF record to your own SPF record.

So now your SPF records looks something like this:

“v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net include:authsmtp.com -all”

The Power of 10

Presumably you’re now starting to see the problem? SPF implementations MUST limit the number of DNS lookups they perform to a maximum of ten. If the number of DNS lookups exceed this count then they MUST return a “PermError”. That PermError will cause your email to be flagged as spam (or, worse, dropped completed).

No problem! In the SPF record above there are only three DNS lookups, right?

Wrong. Each nested DNS lookup is included in the count. spf.protection.outlook.com contains an include statement for spfd.protection.outlook.com. MailChimp’s servers.mcsv.net contains an include statement for spf1.mcsv.net and spf.mandrillapp.com. And AuthSMTP.com contains an include statement for spf-a.authsmtp.com and sfp-b.authsmtp.com.

Standing in the Breach

So all of a sudden you’re up to 8 DNS lookups, very close to the maximum count, beyond which your emails will start to get flagged as spam, or even dropped completely.

Worse still, you have no control over whether MailChimp or AuthSMTP suddenly need to add another DNS record to their SPF lookup. You could very easily breach the ten-limit record without knowing about it.

Hence SPF flattening and proSPF to the rescue! Read on to find out more.