×

[Archived] - Marketing: SPF Records

Modified on Thu, 23 May at 11:11 AM

In this article, we will discuss SPF records. An SPF record helps prevent spam and spoofing and improves email deliverability. ClickFunnels provides an SPF record that you can use to authorize emails from your ClickFunnels account.

Table of Contents


Requirements

  • A custom domain with access to the DNS settings.

What is SPF?

SPF (Sender Policy Framework) is used to detect forged sender addresses during the delivery of an email. SPF alone is limited to detecting a forged sender in the envelope (Return-Path header) of the email. With SPF setup properly, an email server cannot use your domain in the envelope (Return-Path header) unless you have authorized it.

Back to Top


What is an SPF record?

An SPF record is a TXT-type DNS record on a domain that dictates which email servers (IP addresses) are authorized to send an email using the domain name in the envelope (Return-Path header) of an email. SPF records consist of tags with values and individual servers. The record always begins with the v tag and ends with the all tag. Servers are listed between them using various tags and are separated by spaces. Here are the available tags:

  • v: (Required) The SPF version being used. This must be the first tag in the SPF record.
  • ip4: An IPv4 address (1.2.3.4) or range (1.2.3.4/24) you wish to authorize.
  • ip6: An IPv6 address (2001:0db8:0123:4567:89ab:cdef:1234:5678) or range (2001:0db8:0123::/36) you wish to authorize.
  • a: Authorizes an A record’s IP address.
  • mx: Authorizes the IP addresses of the A records that an mx record is pointing to.
  • include: An entire SPF record is copied from another domain/server.
  • all: (Required) This must be the lasttag in the SPF record. It dictates how email servers should handle SPF failures. There are three options:
    • -all: Instruct the server to reject the emails.
    • ~all: Instruct the server to treat the mail as suspicious, usually sending them to the spam folder.
    • ?all: Don’t provide any instructions. Let the recipient decide.

A domain can only have one SPF record, but an SPF record can authorize multiple email servers.

SPF records are limited to 10 DNS lookups, including any additional lookups from the targets of any tags. Every a, mx, and include tag in the chain will count as one lookup.

Example SPF record with only one authorization:

v=spf1 include:mailer.myclickfunnels.com ~all

To authorize additional email servers, simply add any part between the v and all tags that the email service provided to you without duplicating anything that already exists. For example, to add the SPF record v=spf1 include:sendgrid.net ~all provided by another service to the previous SPF record, it would be updated to this:

v=spf1 include:mailer.myclickfunnels.com include:sendgrid.net ~all

Back to Top


Which email headers are checked?

Here are the common names the email header used by SPF is referred to:

  • Return-Path
  • MAIL-FROM
  • Bounce address
  • Envelope from

Back to Top


How does it work?

  1. The receiving server will find the domain used in the Return-Path header and check for an existing SPF record on that domain.
  2. It compares the sending email server’s IP address with those contained in the SPFrecord.
    • If the IP address is in the SPF record, the email server that sent the email is authorized to use that domain (in the Return-Path header). This means that SPF PASSED.
    • If the IP address of the sending email server is not in the SPF record (of the domain in the Return-Path header), then SPF FAILS.

Back to Top


Troubleshooting

  • A domain registrar or DNS provider does not support TXT records longer than 255 characters.
    • In this case, please use a different DNS provider, such as Cloudflare, to manage your domain’s DNS records. Please see Cloudflare’s documentation for more details.

Back to Top


More Information

It is important to note that most email clients will, by default, not display the Return-Path header to the recipient. Also, be aware that the SPF check can PASS even if the “From Address” displayed in the recipient’s email client is not the same domain as the one in the Return-Path header and SPF record. In other words, on its own, SPF does not check the “From” header or prevent the “From Address” from being spoofed.

To effectively prevent spam and spoof emails from your domain, you must include a DMARC record. Please see our documentation on DMARC records for more information.

Back to Top

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article