SPF Record Syntax
At its simplest, the SPF TXT record contains a version indicator, the allowed IP addresses for the domain, and an authorization type.
For example, in this simple SPF record:
"v=spf1 ip4:198.51.1.137 -all"
v=spf1 is the version indicator,
198.51.1.137 is the allowed sending IP address (an IPv4 address), and
-all is an authorization type that asserts that only the IP address 198.51.1.137 is authorized to send mail for the domain.
Specifying IP Addresses
There are a few ways to define authorized IP addresses within an SPF record.
You can specify a single IPv4 or IPv6 address by prepending qualifiers such as ip4:191.51.1.137 or ip6:7939:a348:460d:966f:a986:d0ba:1e9a:c67e
You can specify a range of IP addresses in CIDR format, for example ip4:191.51.1.137/29
You can specify any IP that is also an A or MX record for the sending domain. For example “v=spf1 mx -all” authorizes any IP that is also a MX for the sending domain.
Other SPF records can be included using the include: command; for instance, include:_spf.google.com includes Google’s SPF record.
NOTE: Some mechanisms and modifiers cause DNS queries at the time of evaluation, and some do not. The “include”, “a”, “mx”, “ptr”, and “exists” mechanisms and the “redirect” modifier require DNS queries. A single SPF record MUST limit the total number of lookups to 10 lookups during SPF evaluation, to avoid unreasonable load on the DNS.
Authorization Types
The end syntax of the SPF record allows you to publish different types of authorization methods.
| Statement | Result | Meaning |
|---|---|---|
| +all | pass | Allow all mail |
| -all | fail | Only allow mail that matches one of the parameters (for example, IPv4, IPv6, MX) in the record |
| ~all | softfail | Allow mail whether or not it matches the parameters in the record |
| ?all | neutral | No policy statement |
What’s the difference between ~all and -all?
Before the DMARC standard existed and the SPF standard existed on its own, the softfail (`~`) authorization was made available as a means to allow organizations to become comfortable with the idea of asserting their outbound IP space in the environment where receivers interpreted and acted on the authorization differently.
In practice with DMARC and DMARC Protection, you can start with a neutral authorization (“?all”) and move rather quickly to a softfail authorization (“~all”) and ultimately to a fail authorization (“-all”) as you monitor data.
You can use the “What are my SPF Problems?” report to continuously monitor data as you modify SPF records for your domains.