Beamtic's logo

Share via:

DNS SPF Records

How to use SPF records to increase the likelihood that your e-mails will be received and not go to spam.


Edited: 2020-07-05 10:32

SPF records.

A SPF record (Sender Policy Framework) is a DNS record of type TXT that is used to approve servers (IP addresses and HOST names) to send e-mail on behalf of a domain. While this will help to prevent some e-mail spoofing, there is no guarantee that a given e-mail server will use the standard; the largest e-mail providers will probably be using it though.

To create a SPF record, we begin with v=spf1, this part indicates the version of the SPF standard. This is then followed by the IPs and/or host names of the server'(s) that we want to approve. The -all at the end means that e-mail coming from other servers than the ones specifically listed should be rejected—note the minus sign "-".

Note. There is no meaningful difference between -all and ~all; you might see examples online using both "~" and "-".

The first thing you need is the IP address of your SMTP server; including the IP in a SPF record will decrease the likelihood that your messages are rejected as spam by gmail and others. An SPF record tells receiving e-mail servers that a given server (IP address or host name) is authorized to send e-mail on behalf of your domain name:

v=spf1 ip4: -all

Assuming you own, the above is all that is needed to send e-mail from the server, on behalf of; but, if you want to also allow other domain names to send e-mail through your server, you must also modify the DNS records of those other domains. You can not approve your server unless you got access to changing their DNS records.

The SPF syntax

If you got access to the DNS records of a domain, you can also "import" a SPF record of another domain with this syntax:—just beware that this will cause extra DNS lockups.

If the SMTP server is hosted on the same IP as the main domain, you can also use +a, since this will point at / approve the a record for sending e-mail.

The plus "+" and minus "-" signs indicates whether e-mails coming from a server should be allowed or rejected. These signs should be added in front of the rules. I.e.:

Instead of adding an IP address, you can also add the domain (host) of the e-mail server, this is done by adding an include rule to your SPF record:

v=spf1 ip4:x.x.x.x -all

This example will both allow an IP address, and the host to send e-mail on behalf of the domain.

Note. It is recommended to avoid the use of HOST names (include), and instead use IP addresses, since host names can cause a substantial amount of DNS lockups.

Multiple statements can also be added. For example, if you have more than one IP address that sends e-mail on behalf of your domain, you would list them like this:

v=spf1 ip4: ip4: -all

Of course, those IP's are just examples. You need to add the WAN of the SMTP server.

And likewise, the syntax for multiple domains:

v=spf1 ip4:x.x.x.x -all

It may take a couple of days for DNS changes to take effect and propagate to Google's servers. Even if your DNS record has updated, it might not have propagated to all servers yet; so be very patient when experimenting with DNS records.

Problems reaching gmail

Normally I just need to send e-mail from my own domain name, but I recently had to allow another domain to send e-mail using my SMTP server. I thought I had nailed those SPF records, but apparently I had not, and hence my e-mails would get returned when I tried sending e-mails to gmail accounts.

Gmail would inform me that the IP address had been "rate limited" for low reputation, or simply that my e-mail had been rejected. Since I have not been sending any e-mails for a while, I figured the problem could not be caused by spamming.

Here is an example of one of those messages:[] said: 550-5.7.26 This message does not have authentication information or fails to 550-5.7.26 pass authentication checks. To best protect our users from spam, the 550-5.7.26 message has been blocked. Please visit 550-5.7.26 for more 550 5.7.26 information...

And another one:

Our system has detected that this message is 421-4.7.0 suspicious due to the very low reputation of the sending IP address. 421-4.7.0 To protect our users from spam, mail sent from your IP address has 421-4.7.0 been temporarily rate limited. Please visit 421 4.7.0 for more information.

Useful resources

These other resources may help you better understand about SPF records.

  1. SMTP error reference -
  2. Help prevent email spoofing with SPF records -


  1. Rate limiting your postfix server to limit the amount of e-mail a single user can send.
  2. How to configure a SMTP server with letsencrypt on an amazon EC2 instance.
  3. How to configure Postfix to use Lets Encrypt certificates.
  4. How to debug problems with a Dovecot server using log files.

More in: Mail Servers