Build and Propose a New SPF Record

The process for proposing a new SPF record should be the same for all domains that you plan to protect. At a high level, the process is as follows:

1. Use the Senders page in DMARC Protection to identify senders for a given domain.
   
2. Find SPF instructions for that sender and publish an SPF record:
   
   • View the sender profiles for well-known senders in DMARC Protection to learn if the vendor supports SPF.
   • Use the data for custom senders to enumerate IP Addresses which you control.
3. Work with the senders (well-known or custom) to ensure that SPF alignment is achieved.
   
   • Monitor progress via the Senders page and the Analyze > Email Traffic pages.
     
4. Update/modify your SPF record for the domain to account for all potential senders.
   
   • You can also use the Using the EasySPF™ Analyzer for an SPF Record.
5. When you are confident that you have accounted for all senders for a domain in its SPF record, update the SPF record to use a “-all” policy.

You will repeat each of the above steps for each domain you plan to protect.

Some examples to illustrate the process:

• SPF for a Well-Known Sender Examples
• SPF for a Custom Sender Example

References

Here are a few additional references that can help you understand the process of enabling SPF authentication for your domains.

Google G Suite Administrator Help, “Authorize Senders with SPF:”

https://support.google.com/a/answer/33786

Microsoft Office 365 Help, “Set up SPF in Office 365 to help prevent spoofing:”

https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx

Wikipedia entry for SPF:

https://en.wikipedia.org/wiki/Sender_Policy_Framework

RFC 7208, “Sender Policy Framework A DNS-based technology that allows a domain owner to specify a limited set of IP addresses that email for that domain may be sent from. The domain authenticated by SPF is not the “header From” domain visible in most email clients. SPF authenticates the envelope domain, also called the MailFrom domain, described in RFC 5321. This domain typically appears in the “Return-Path:” message header. Sender Policy Framework (SPF) is specified in RFC-7208 (https://tools.ietf.org/html/rfc7208). See also: http://www.openspf.org/:”

https://tools.ietf.org/html/rfc7208

Word to the Wise blog, “Authenticating with SPF: -all or ~all”

https://wordtothewise.com/2014/06/authenticating-spf/

Global Cyber Alliance, “Introduction to the Sender Policy Framework (SPF): A Closer Look”

https://www.youtube.com/watch?v=oEpU-iqBerI