Email Fraud Protection

Protecting Your Brand From Phishing: How to Create your SPF Record

Posted by Dale Langley on

Certainly SPF and DKIM should be your first ports of call when it comes to implementing DMARC and email authentication. You can read what DMARC is and why it's important here.

SPF records are examimed when email receivers check to see if the server that sent the email was authorised to do so by the senders domain. It’s a great way for ISP’s to detect forged email.

As an example, if you receive an email from ‘’ from a server with IP address ‘’, the SPF check asks the ‘’ domain if IP ‘’ should be allowed to send email on it’s behalf.

So how do you get your email authenticated using SPF?

  1. Determine the domains that your email campaigns are sent from
    Here you are only concerned with the domain part of the email address, anything after the @ sign. So, if you use and for your emails, then you need to apply SPF records to
  2. Gather the IP addresses that are used to send the emails
    If you use an Email Service Provider, ask them for your sending IP addresses. If you have an in-house system, speak to your system administrator.

    If you use the same domain for your email campaigns that you do for your commercial email. Make sure you check with your IT department and get the IP addresses used for your commercial email too.

  3. Create your SPF record
    Microsoft have provided a great wizard for generating SPF records. It can be found here: and provides you with a thorough explanation of the terms you’ll need to know.
  4. Publish your SPF to DNS
    In order that receiving servers can check your SPF record it must be publicly visible. This means publishing it to the DNS server for your domain. If you’re using a hosting provider such as 123-reg or GoDaddy then this process is fairly simple, if your DNS records are administered by your ISP or if you’re not sure, then contact your IT department for support.

    You’ll need to copy the SPF record from the wizard and apply it to your DNS as a TXT record.

That’s about it! Your SPF record should now be visible to any organisation you send email to. Don’t forget to check the validity of your record using a tool such as Any problems will also be highlighted if you’re a Return Path customer using Inbox Monitor, you’ll see it listed under in the Problems column next to each campaign:

Up next in our series on protecting your brand from phishing, we'll discuss how to set up DKIM.


About Dale Langley

As a consultant to Return Path’s clients helping them adopt the latest email best practices, Dale's background in mailbox provider system development led to his specialization in mailbox provider start-ups, infrastructure, and subscriber engagement. He can be found regularly presenting seminars, talking about the latest trends in email marketing and de-mystifying the murky world of deliverability. Find him at and @Email_dale on Twitter.

Read more from this author