Protecting Your Brand From Phishing: How to create your SPF record

Certainly SPF and DKIM should be your first ports of call when it comes to implementing DMARC and email authentication. You can read what DMARC is and why it's important here.

SPF records are examimed when email receivers check to see if the server that sent the email was authorised to do so by the senders domain. It’s a great way for ISP’s to detect forged email.

As an example, if you receive an email from ‘support@paypal.com’ from a server with IP address ‘212.123.50.1’, the SPF check asks the ‘paypal.com’ domain if IP ‘212.123.50.1’ should be allowed to send email on it’s behalf.

So how do you get your email authenticated using SPF?

  1. Determine the domains that your email campaigns are sent from
    Here you are only concerned with the domain part of the email address, anything after the @ sign. So, if you use service@yourdomain.com and receipts@yourdomain.com for your emails, then you need to apply SPF records to yourdomain.com
     
  2. Gather the IP addresses that are used to send the emails
    If you use an Email Service Provider, ask them for your sending IP addresses. If you have an in-house system, speak to your system administrator.

    If you use the same domain for your email campaigns that you do for your commercial email. Make sure you check with your IT department and get the IP addresses used for your commercial email too.
     
  3. Create your SPF record
    Microsoft have provided a great wizard for generating SPF records. It can be found here: http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/ and provides you with a thorough explanation of the terms you’ll need to know.
     
  4. Publish your SPF to DNS
    In order that receiving servers can check your SPF record it must be publicly visible. This means publishing it to the DNS server for your domain. If you’re using a hosting provider such as 123-reg or GoDaddy then this process is fairly simple, if your DNS records are administered by your ISP or if you’re not sure, then contact your IT department for support.

    You’ll need to copy the SPF record from the wizard and apply it to your DNS as a TXT record.

That’s about it! Your SPF record should now be visible to any organisation you send email to. Don’t forget to check the validity of your record using a tool such as  http://www.kitterman.com/spf/validate.html. Any problems will also be highlighted if you’re a Return Path customer using Inbox Monitor, you’ll see it listed under in the Problems column next to each campaign:

Up next in our series on protecting your brand from phishing, we'll discuss how to set up DKIM.