How Do I Configure a Valid SPF Record for a Domain to Avoid Email Authentication Failures?

Scenarios

SPF is a TXT DNS record that complies with certain format specifications. Email systems such as Gmail verify SPF TXT records in a domain. If the SPF record set configured for an email is incorrect, the following problems may occur:

• Emails rejected: The receiving email server may reject emails if it detects that the sender's IP address is not in the allowed list during SPF record verification.
• Emails marked as spam: The emails may be marked as spam by the recipient. This reduces the email credibility and deliverability.
• Deliverability decreased: Emails cannot be delivered to users' inboxes promptly.
• Valid emails as spam: Valid emails may be classified as spam by the recipient. This affects user experience.
• Security risk: Attackers can more easily forge emails. As a result, the risk of phishing emails or malicious email attacks is increased.

This section describes how to configure SPF TXT records to prevent email service exceptions.

SPF Record Set Specifications

When configuring the value of a TXT record, you must strictly comply with the related format specifications.

The SPF record syntax is as follows:

v=spf1 ip4:192.xx.xx.0 ip4:192.xx.xx.1 include:example.com -all

• v=spf1: identifies the TXT record as an SPF TXT record. Each SPF record must start with it.
• ip4:192.xx.xx.0 ip4:192.xx.xx.1: identifies the IP addresses of the clients authorized by the SPF TXT record. That means the clients whose IP addresses are 192.xx.xx.0 and 192.xx.xx.1 are authorized for the domain to send emails.
• include:example.com: identifies the third-party organizations that are authorized to send emails on behalf of the domain. In this syntax, the SPF TXT record of the domain example.com is checked, and the IP addresses contained in the record are considered authorized.

  An SPF TXT record can contain multiple domains.

• -all: indicates that the IP addresses not specified in the SPF TXT record are not authorized to send emails for the domain, so the emails should be rejected.

  ~all: indicates that emails not specified in the SPF TXT record will be accepted but marked as suspicious emails or spam.

  +all: indicates that any server can send emails on behalf of the domain.

Constraints

To configure a valid SPF TXT record, you need to keep the following points in mind:

• The SPF record must start with v=spf1.
• Each domain can only have one SPF record associated.
• It is recommended that the SPF record end with -all or ~all to specify the exclusion policy.

How Do I Configure an SPF Record Set?

For details about how to configure an SPF record set for a public zone, see Adding Record Sets for a Public Zone.

Example: Configure an SPF record set for domain hwdnsops.net through Huawei Cloud DNS. The following figure is for reference only.

Checking Whether an SPF TXT Record Is Valid

After adding an SPF TXT record, you can use the MXToolbox tool to check whether it is valid.

The following uses spf.hwdnsops.net as an example:

1. Use a browser to access MXToolbox.
2. Enter the name of your SPF TXT record set in the search box.
3. Click next to the lookup button and select SPF Record Lookup from the drop-down list.

   

4. Click SPF Record Lookup to view the check result.

   

   • The first part describes the function after the SPF TXT record is parsed.
   • The second part shows whether the SPF configuration meets specifications.

     If the configuration does not comply with specifications, the check result shown in the following figure is displayed.