As you may have read from a previous knowledge base article, Sender Policy Framework (SPF) is a simple record you can add to your DNS server that specifies what mail servers are allowed to send email for your domain. Enabling SPF is usually a very easy task.

Note: We’ll be updating your DNS records. If you’re unfamiliar with updating DNS, please seek professional guidance or work with your DNS provider (e.g. GoDaddy, CloudFlare).

SPF is defined in a simple TXT record. You’ll want to check with your email provider for the proper settings, as well as every provider that you allow to send email on your behalf. Examples of such providers include your CRM (e.g. Salesforce, Zoho), other bulk mail applications (e.g. Mandril), as well as any specific servers you use for your business (e.g. AWS servers, Exchange server).

With that information in hand, you can simply create a new TXT record and add the allowed servers to the list. There are only a handful of options that make up a proper SPF record. For example, if you only use Microsoft Office 365 for email, your SPF record should look like:

v=spf1 include:spf.protection.outlook.com -all

This line simply states: (1) You are using SPF version 1 (normal); (2) You allow the server ‘spf.protection.outlook.com’ to send email for your domain; and (3) You require this condition to be met every time. (The “-all” specifies a hard-fail condition, requiring full SPF validation)

You can easily extend this to include other services and servers by adding more include statements or ipv4 statements. If you were to also send email from your corporate intranet server, for example, you could specify the public IPv4 address of that server (e.g 1.2.3.4) as follows:

v=spf1 include:spf.protection.outlook.com ipv4:1.2.3.4 -all

SPF is a free and high-value way to help ensure that your email cannot be spoofed. Coalition recommends all insureds implement SPF as part of their email security practices.

Did this answer your question?