Summary
Establishing best practices for SPF records, while avoiding CNAMES, is vital for secure and successful email authentication. SPF records, configured as TXT records within DNS, authorize mail servers, preventing spoofing. The correct syntax of SPF records is crucial for validity and proper functionality, using terms like 'v=spf1', 'ip4:', and 'include:'. It's recommended to carefully assess all email sources for inclusion in the SPF record. A consensus exists that using CNAMES should be avoided, in favor of A or AAAA records, because of security and management implications. Regularly review and update SPF records to account for infrastructure or service changes. Experts recommend SPF flattening and diligently managing 'include' mechanisms to remain within the DNS lookup limit of 10 and avoid evaluation failures. Furthermore, testing using validation tools to assess SPF syntax and DNS lookups is crucial. For comprehensive security, implementing DMARC in conjunction with SPF is recommended.
Key findings
- No CNAMES: CNAME records should be avoided in SPF configurations.
- Authorizing Mail Servers: SPF Records are TXT records within DNS that authorize mail servers.
- Limit Includes: Limit the amount of includes to comply with DNS lookup limits.
- Record Validation: Testing and validation are essential for checking record syntax and DNS lookups.
- Implement DMARC: Implement DMARC in conjunction with SPF.
- Correct Syntax: Correct syntax of SPF records using terms like 'v=spf1', 'ip4:', and 'include:' are crucial for validity and proper functionality
- Assess Email Sources: Carefully assess all email sources for inclusion in the SPF record.
- Updating SPF Records: Regularly review and update SPF records to account for infrastructure or service changes.
Key considerations
- Complexity: When managing SPF records, there are complexities, and careful consideration and ongoing management is crucial to mitigate issues.
- DNS Lookups: Carefully manage includes and SPF flattening due to DNS lookup constraints.
- Regular Audits: Ongoing regular audits of SPF Records are crucial.
- Testing and Validation: Use testing and validation throughout.
What email marketers say
9 marketer opinions
Best practices for SPF records and avoiding CNAMES revolve around maintaining accurate, validated, and well-structured SPF records to ensure proper email authentication and deliverability. Key aspects include avoiding unnecessary inclusions, keeping records updated, utilizing subdomains effectively, testing records, and understanding the limitations of SPF alone, often requiring DMARC for full protection. Avoiding CNAMES is a consensus and is generally invalid.
Key opinions
- Avoid Bloat: Avoid blindly including ESP domains in SPF records if they aren't used in the return-path, as this can lead to unnecessary bloat.
- Limit Includes: Limit the number of 'include' mechanisms to stay within the DNS lookup limit, which exceeding it can cause SPF checks to fail.
- No Multiple Records: Do not have multiple SPF records for a domain, as this invalidates the record.
- Subdomain Segregation: Using subdomains for different email purposes (e.g., marketing vs. transactional) and separate SPF records allows for granular control.
- Audit Third-Parties: When using the 'include:' mechanism for third-party senders, ensure they are reputable and regularly audit them for validity.
- CNAMEs are invalid: Avoid using CNAME records directly in an SPF record; instead, use A or AAAA records.
- SPF Limitations: SPF only authenticates the 'MAIL FROM' address and doesn't protect the 'From:' header; DMARC is needed for full protection.
- Testing is Important: Always use SPF record validation tools to test the syntax for errors, as well as the DNS lookups.
- Keep them updated: Keeping your SPF records up to date when using third party senders will ensure deliverability.
Key considerations
- DNS Lookup Limit: Be mindful of the DNS lookup limit (typically 10) when configuring SPF records, as exceeding this limit can cause issues.
- PTR Mechanism: Avoid using the 'ptr' mechanism due to its unreliability.
- Regular Audits: Regularly review and update SPF records to reflect changes in sending infrastructure and third-party relationships.
- Tooling: Ensure to use an SPF syntax validator tool to check your syntax for errors, as well as the DNS lookups.
- DMARC: Consider DMARC to cover the limitations of SPF
Marketer view
Email marketer from Email on Acid recommends using tools to test your SPF records. A good tool is able to help you avoid common mistakes, and gives an output of the SPF including if it is valid.
26 May 2024 - Email on Acid
Marketer view
Email marketer from SparkPost warns against common SPF mistakes, such as having multiple SPF records (which invalidates the record) and using the 'ptr' mechanism (which is unreliable). They emphasize the importance of testing your SPF record.
29 Sep 2022 - SparkPost
What the experts say
5 expert opinions
Experts emphasize the importance of carefully managing SPF records for email security and avoiding potential issues. Key practices include avoiding the use of CNAMEs, regularly auditing SPF configurations, and using dedicated IPs for more secure publishing. SPF is critical, but often misconfigured. It's vital to understand the implications of each mechanism included in the record. Readily available online validators should be used to check for syntax errors and DNS lookup issues.
Key opinions
- Avoid CNAMES: Experts recommend avoiding CNAMEs in SPF records due to potential security and management issues.
- Secure Publishing: For dedicated IPs, the most secure method is to publish those IPs directly in the SPF record.
- Regular Audits: Regularly audit SPF records to ensure they are correctly configured and reflect current sending practices.
- Validator Tooling: Use online SPF validator tools to check syntax and DNS lookup counts to catch problems early.
Key considerations
- Provider Convenience: While CNAMEs are easier for providers to manage, they may introduce security risks.
- Shared IPs: For shared IPs, verify the use of a dedicated return path domain before including shared IPs in the SPF record.
- Mechanism Implications: Carefully consider the security implications of each mechanism included in the SPF record.
Expert view
Expert from Email Geeks explains CNAMES are easy for the provider to manage, meaning they don't have to keep bothering their users to update things if the provider needs to be moving things around.
21 Aug 2021 - Email Geeks
Expert view
Expert from Email Geeks started recommending NOT using CNAMES a few years ago to avoid potential problems and asking for trouble. This situation is worse than anticipated.
19 Apr 2025 - Email Geeks
What the documentation says
5 technical articles
SPF records, implemented as TXT records in DNS, are critical for authorizing email sending servers and preventing spoofing. Proper syntax (e.g., 'v=spf1', 'ip4:', 'include:', '-all') is essential. You should evaluate all sending sources and include them in the record. It is important to keep your record simple and test it. SPF flattening is a strategy used to consolidate 'include' statements and avoid exceeding the DNS lookup limit of 10, beyond which SPF checks may fail. RFC 7208 defines the official SPF syntax and mechanisms.
Key findings
- SPF Syntax: SPF records are TXT records with specific syntax and qualifiers.
- Prevent Spoofing: SPF records help prevent email spoofing.
- Evaluate Sending Sources: Evaluate and include all sending sources in your SPF record.
- SPF Flattening: SPF flattening helps consolidate includes to avoid DNS lookup limits.
- DNS Lookup Limit: Exceeding the DNS lookup limit can cause SPF checks to fail.
- Testing is important: Always test your SPF record
Key considerations
- DNS Lookup Limit: Be aware of the DNS lookup limit of 10 and employ SPF flattening if needed.
- RFC 7208: Refer to RFC 7208 for official SPF syntax and mechanism specifications.
Technical article
Documentation from Microsoft Learn shares that SPF records in Office 365 can help prevent spoofing. They note that you should evaluate all your sending sources and include them in your SPF record. They recommend starting with a simple record and testing.
7 Apr 2023 - Microsoft Learn
Technical article
Documentation from DMARC.org describes SPF flattening as a process to consolidate multiple 'include' statements within an SPF record to stay within the DNS lookup limit of 10. It is noted that exceeding this limit can cause SPF checks to fail.
16 Apr 2025 - DMARC.org
Can a sender modify SPF records to alter SPF checking behavior?
How can I optimize my SPF record to stay within the lookup limit when using multiple email sending services?
How do CNAME records affect DNS records like SPF, DKIM, DMARC, and MX?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do I set up an SPF record when using multiple email sending services?
How do SPF records and DKIM keys work with multiple email services like Klaviyo and Shopify?
