Email Deliverability: SPF Records – Part 3

SPF Records – Part 3 – Setting Up Your SPF Record

The final post on SPF records will cover creating a record for your domain. In previous posts I had mentioned that the SPF record for was the following:

v=spf1 a mx -all

Well, one problem with that: it’s wrong. Let’s look at some email header snippets to see what happens when I send an email to my Gmail and Yahoo accounts (email addresses modified to protect the innocent):

Received-SPF: fail ( domain of does not designate as permitted sender) client-ip=;
Authentication-Results:; spf=hardfail ( domain of does not designate as permitted sender)
Received-SPF: fail (domain of does not designate as permitted sender)

So what happened? In the SPF record, the address (A) DNS record and the mail (MX) record are specified for approval, but all other hosts should fail (-all). But the A and MX records don’t match the IP address that the email is actually being sent from.

  • Address (A) Record:
  • Mail (MX) Record:
  • Email was sent from:
  • On a later test, email was sent from:

The issue I’m seeing here is what happens when you have a shared hosting solution. My domain name is hosted on a server cluster that also hosts a bunch of other sites. It will use a number of different outgoing email servers which all have different IP addresses. To accommodate this we can use an IP address range. It can be written in one of two ways:

v=spf1 a/20 mx -all
v=spf1 ip: a mx -all

Both of those accomplish the same thing, they approve all host IP addresses from to, and they’re both a little too verbose. Remember, the records are read from left to right, and each check requires an additional DNS lookup to your DNS servers. It’s best to make them as concise as possible. Thus, the new SPF record is:

v=spf1 a/20 -all

Now, that probably brings up a bunch of questions. First and foremost, how did I find that IP address range? Unfortunately, I had to ask my host for it. This isn’t typically a big issue for those using a dedicated server, or a more advanced virtual server solution. In most of those cases, your host will have a single dedicated IP address and the original SPF record would work perfectly. In cases where you have a number of IP addresses, and the basic SPF record isn’t working, it’s simple enough to see which IP address is actually the one that the emails are being sent from: send yourself an email and look at the email header. In Outlook you do this by opening the email and then selecting View->Options.

With the new SPF record in place, Gmail and Yahoo are now happy with email coming from

Received-SPF: pass ( domain of designates as permitted sender) client-ip=;
Authentication-Results:; spf=pass ( domain of designates as permitted sender)
Received-SPF: pass (domain of designates as permitted sender)

And all is right with the world. In the final entry on SPF Records, I cover some online tools you can utilize to test your SPF records.

This entry was posted in Email Deliverability, SPF Records and tagged , . Bookmark the permalink.

2 Responses to Email Deliverability: SPF Records – Part 3

  1. Jay Wadley says:

    Very clear, thank you. Whether on a shared host or not, getting SPF records set up properly is the very first thing we ask clients to check. It’s often overlooked and is a lot easier to set up than DKIM, which is usually the next step.

  2. Paul says:

    Nicely written article Eric – I’ve been looking through hundreds of articles and your is exactly what I was looking for. Thanks

Leave a Reply to Paul Cancel reply

Your email address will not be published. Required fields are marked *