SPF Records – Part 2b – Examples & Use Cases
The first post for Part 2 covered the Mechanisms and Qualifiers that are used to construct an SPF record. If you haven’t read that yet, you may wish to before proceeding. This post will show some examples and explain them in a little bit of detail. One note to remember: these mechanisms are processed from left to right. Each mechanism requires at least a single DNS lookup. It is best to order them from most likely to match to least in order to minimize the overhead.
For reference, here is the original SPF record that is in use by ericbrandel.com. It’s about as simple as it can be:
v=spf1 a mx -all
There are a lot of different things you can do with your domain’s SPF record, but two of the most common are:
- Include a specific IP address
- Include a range of IP addresses
- Include another domain’s SPF record
Include a specific IP address
To include a specific IP address, the IP4 mechanism is utilized. If the IP address to add is 126.96.36.199, the IP4 mechanism would be ip4:188.8.131.52. The completed SPF record would be:
v=spf1 a mx ip4:184.108.40.206 -all
The SPF record will now try to match the IP address of 220.127.116.11 in addition to looking up the address (A) and mail (MX).
Include a range of IP addresses
To include a range of IP addresses, the same IP4 mechanism is used, but the formatting is slightly different. A standard IP range is utilized, so to include addresses 192.168.0.1 to 192.168.255.255 the mechanism is ip4:192.168.0.1/16. Adding it to the previous SPF record results in:
v=spf1 a mx ip4:18.104.22.168 ip4:192.168.0.1/16 -all
Include another domain’s SPF record
There are a number of reasons that you would need to include another domain’s SPF record. Web apps, like Microsoft Office 365, various Google apps, and FreshBooks, will sometimes want to send emails using your domain. Outsourced email services like Mailchimp may also do the same. Here are some examples:
- MailChimp: include:servers.mcsv.net
- Microsoft Office 365: include:outlook.com
- Google Apps: include:_spf.google.com
- FreshBooks: include:_spf.freshbooks.com
The underscore (_) in the FreshBooks and Google entries is not a typo. It is a convention utilized to differentiate the entry from a normal DNS entry. Now, if you were to utilize all four of those includes, in addition to the other entries added above, the SPF record would look like this:
v=spf1 a mx ip4:22.214.171.124 ip4:192.168.0.1/16 include:servers.mcsv.net include:_spf.google.com include:outlook.com include:servers.mcsv.net -all
It ends up being slightly abnormal, but it does demonstrate the flexibility of the SPF record format.
In the third part of these posts on SPF Records, I will cover how you can determine what your SPF record should be.