Email Security Blog

A few steps to take before creating your SPF record

Danielle Tristao September 18, 2014 How Email Works
Fallback Featured Image

Before the excitement that is creating a new SPF record, there are a few steps you should take in order to organize the information you will need to be successful.

Here is your “grocery” list of information you should know about your sending outgoing mail traffic:

  • web server
  • in-office mail server (e.g., Microsoft Exchange)
  • your ISP’s mail server
  • mail server of your end users’ home ISP
  • any other mail server

Remember, only the final mail server matters. You do not need to include previous hops in the SPF record. However, you may want to consider whether your inbound mail gateways (MXs) will ever generate bounce messages, system reports, alerts, or other administrative messages.

Ok, so I have my information and I’m ready to start configuring an SPF record. What else should I know?

SPF limits you to only 10 look up mechanisms. Anything over 10 will result in an error with the receiver. To try and limit your look ups try considering listing IP4 or IP6 notations so the receiver can avoid DNS look ups entirely.

Publish SPF records for HELO names used by your mail server.

Example:             IN  TXT  “v=spf1 mx -all”  IN  TXT  “v=spf1 a -all”

Publishing a HELO rule involves creating an SPF record linked to the HELO Fully Qualified Domain Name (FQDN for short) used by your mail server.

It is best practice to configure a null SPF record for domains that do not send email. The reason for this is because the people who do use other domains to spoof, want to use a domain they believe is not used often and therefor most likely hasn’t been configured as strictly as domains that are in use more often.

Before you put your SPF records in play, you should use a SPF testing tool to ensure it is valid. An example of a popular tool would be: SPF Tools You can test and resolve any configuration issues before implementing it live.


I have my SPF configured and I’m ready to go!

Did you tell your senders that you have implemented SPF? It really is a good idea to keep your users in “the know”. Some mail clients may need to have SMTP authentication configured. Check with your email clients documentation for their own SPF configuration.

SPF is an important part of email authentication. SPF is allowing you to make the rules as to who can send on your domains behalf. As if that wasn’t a good enough reason, it is also one of the authentication methods used with DMARC.

For further information on SPF, please visit:

Agari Blog Image

October 22, 2019 Crane Hassold

The Threat Taxonomy: A Working Framework to Describe Cyber Attacks

Imagine going to the doctor and only being able to say “pain” or “sick”. You…

Agari Blog Image

February 20, 2018 Jacob Rideout

Strengthen DKIM Signatures with DCRUP

In this final post of the DMARC series we’ll discuss the latest crypto updates to…

2 factor authentication

February 15, 2018 Markus Jakobsson

How SMS 2FA Might Leave You Vulnerable to Email Account Takeover

One of the biggest challenges for a security strategy is making it accessible and understandable…

Agari Blog Image

February 13, 2018 Jacob Rideout

The Arrival of ARC

As we mentioned in the first post of this series, with the arrival of ARC,…

Agari Blog Image

September 28, 2016 Gabriel Ortiz

Software Ate My Infrastructure: 2 Years on AWS with Ansible, Terraform and Packer - Part 2

Agari has made significant investment into infrastructure as code. Almost two years into this project,…

mobile image