At some point if you use email marketing (which is most companies!) you are going to wonder how you can improve your inbox placement and email deliverability. And during that search, you will of course see advice on using technical email deliverability to help you achieve that. But a lot of this advice will be for people with some IT knowledge. Today, we aim to tell you what SPF records are and why you need valid SPF records in plain English!
For large companies you will have a dedicated person (or team) to deal with this, however for smaller enterprises you will often need to find out yourself. And finding out involves a lot of acronyms and confusing technical explanations: SPF, DKIM, DMARC, DNS, SMTP, protocols, mechanisms…
Importance of understanding technical email deliverability
We understand why marketing professionals might want to hide under their desks when they hear these terms! However, we can’t stress how important it is to have an understanding of what these things mean.
There is no point in having a perfectly segmented list & carefully crafted email if you are never going to hit an inbox due to technical difficulties. We plan to cut through the jargon and explain in plain English what these things mean and how you can use them to your advantage, even if you are a complete IT novice. Our last post looked at the relevancy of spam words in the subject line & gave a practical guide on what to avoid.
Today we will explain SPF Records in plain English.
What are SPF records? They are a technique used to prevent email spoofing. So to understand this we first need to know exactly what email spoofing is.
Email spoofing is the creation of emails with a forged sender address. A short example that we can all relate to:
I receive an email from ‘email@example.com’ BUT the email didn’t really come from Barclay’s. Someone forged a genuine sender address to make me believe that Barclaycard sent me an email.
Why do people spoof emails?
The goal of an email spoofing campaign is to get people to open an email and sometimes to click on a link within it, or even to respond to it. But why….?
- To pretend to be someone or a business that the recipient knows/has a relationship with to ask for sensitive information like passwords or bank details. This is known as email phishing.
- To send virus spam which will infect people’s computers.
- Committing identity theft with details gleaned by email spoofing can occasionally result in thieves purchasing goods or taking out credit in your name or accessing your bank account.
- Ruining the reputation of the real sender (albeit a much less common reason).
How can emails be spoofed?
Well, emails are sent by your Mail Transfer Agent (for example Outlook) through SMTP (Simple Mail Transfer Protocol). Don’t be put off by the word ‘protocol’, this is simply a set of rules and guidelines that allow your computer to link up to other networks with the same rules & guidelines (the internet).
Put simply, SMTP moves your email from your email account to the recipient. However, SMTP has no way to authenticate that an email has come from where it is saying it has come from. And so, a number of different protections have been put in place to help authenticate emails, SPF Records being one of them.
SPF will check to see if an IP address is allowed to send emails on your behalf
SPF (Sender Policy Framework) is simply a way to check if a particular IP address is authorised to send emails on your behalf. Let’s explain this in plain English with a story:
Once upon a time Bob sends an email to Emily.
Emily’s server asks Bob’s server ‘What is your SPF?’
Bob’s server replies by sending the SPF record which contains the IP addresses of everyone that can send emails on his behalf.
Emily’s server says ‘Thanks, I can see you are allowed to send emails for Bob, I’ll put this email into her inbox’.
Emily receives the email from Bob in her inbox & is happy.
How to check your domain’s SPF records?
There are many great free tools online – type ‘SPF check’ into Google and you will see lots of companies providing a free version. We like MX Toolbox or DMARC Analyzer. Then you simply type your domain into the box indicated and they will let you know what your SPF record is, and if it is valid.
What does an SPF record look like?
Well, it can look complicated if you’ve never seen one before. They are added as a type of TXT record. A simple one could look like this:
v=spf1 a mx include:_spf.perfora.net include:_spf.kundenserver.de ~all
Breakdown of each part
Let’s take this part by part. The server will read it from left to right, and each part of the code is referred to as a mechanism.
v=spf1: This means that the record is an SPF record
a: This mechanism means all the A records for the domain are tested to see if one matches (A records are ‘Address Records’ and they tell your domain what server to use. They will have the server(s) IP address(es) in them)
mx: This mechanism means all the MX records for the domain are tested to see if there is a match. MX records are the names of the email servers that can receive email. Normally for small businesses the MX records will be provided by your hosting service provider and you would only concern yourself with them if you change hosting provider.
include: This mechanism specifies other domains that are allowed to send emails for you. So, if you use another service like Hubspot, SendInBlue, dotdigital etc to send emails, you can give them permission too.
all: this refers to all other IP addresses, but you have different options to pick from:
-all means a hardfail. If the IP address sending the email has not been found in the other mechanisms the email delivery will fail. This means that the intended recipient will not see it in their email account at all.
~all means a softfail. If the IP address sending the email has not been found in the other mechanisms then the email delivery will end up in the recipient’s spam folder.
Limits of SPF records
- You can add up to 10 mechanisms in your SPF record. Don’t exceed this limit. So “a”, “mx” & “include” all count towards this limit (as do some others such as “ptr”, “exists” & “redirect” mechanisms*).
- Your SPF record can only be a maximum of 255 characters per string. If it is longer you can split it into 2 (or more) strings of 255 characters or less. What does this mean practically? A string is simply a part of the SPF record that starts and ends with quotation marks. So, if you see that your SPF record is longer than this simply choose a point at 255 characters or less to break it using the symbol “. Then create the next string by opening and closing with quotation marks again.
* It is a best practice to avoid using the “ptr” mechanism completely.
“Exists” is rarely used but can be to look at the ‘a’ records for a specified domain.
“Redirect” is used when you have domain X redirecting to domain Y. You will only need to check the SPF of domain Y.
Where do you find your SPF records to add or change them?
You will find the SPF records in the DNS section of your hosting service provider (1&1, Bluehost, GoDaddy etc). Whilst every provider is slightly different, in general you should go to the section where you manage your domain. Then go to DNS. If you don’t have an SPF record you can create it by adding a new TXT record. Remember you are looking for a TXT record that starts with v=spf1
Use an SPF record creator to guide you
If you are stuck, there are many great SPF record creators online which will give you the code to write. We like the simplicity of Mail-Tester which will suggest an SPF record to you if you don’t already have one. Then all you have to do is add this information as a TXT record in your DNS section.
We hope that you have appreciated our guide to SPF records explained in plain English! This is a complex area which we have tried to make a little more accessible for our fellow marketers. If you want to speak to our team about how we can use our expertise to help you please get in touch.