What is SPF?
SPF, or Sender Policy Framework, is an authentication protocol designed to validate the “HELO” and “MAIL FROM” fields in an email transmission. It provides a method whereby a domain administrator can explicitly authorize which hosts are allowed to send mail for a domain, which can be verified by the recipient’s mail server. The current SPF standard is published in RFC 7208.
How does SPF work?
SPF is published as a DNS TXT record. The recipient then checks the IP address of the sending mail server against the SPF record for the HELO/MAIL FROM domain to confirm that the IP address is authorized by the SPF record. An example SMTP transaction might look like this:
220 mx.google.com ESMTP c125si9817506pfg.356 - gsmtp EHLO mta-c-24-39.infusionmail.com 250-mx.google.com at your service, [188.8.131.52] 250-SIZE 157286400 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 MAIL FROM: <firstname.lastname@example.org> 250 2.1.0 OK c125si9817506pfg.356 - gsmtp RCPT TO: <email@example.com> 250 2.1.5 OK c125si9817506pfg.356 - gsmtp DATA 354 Go ahead c125si9817506pfg.356 - gsmtp FROM: firstname.lastname@example.org TO: email@example.com Subject: Check out our hot deals this summer! 40% off your next order if you buy today! . 250 2.0.0 OK 1507046193 c125si9817506pfg.356 - gsmtp
The HELO address in this example is
mta-c-24-39.infusionmail.com and the MAIL FROM address in this example is
firstname.lastname@example.org. Therefore, the domain name that will be checked for SPF is
infusionmail.com. The IP address that sent the message is
Upon receiving the message, Google will do a DNS lookup on
infusionmail.com to verify if it has an SPF record published. In this case, it does:
v=spf1 a:infusionsoft.com ip4:184.108.40.206/22 ip4:220.127.116.11 ip4:18.104.22.168/28 ip4:22.214.171.124/29 -all
SPF record syntax is explained in-depth at http://www.openspf.org/SPF_Record_Syntax. Let’s examine what this record means:
This is the version of SPF being used. Currently, only one version of SPF exists - spf1. All SPF records will start with this string.
The IP address published in the DNS A record for
infusionsoft.com is allowed to send mail for
infusionmail.com. Google would do a DNS lookup to resolve this IP address:
;; ANSWER SECTION: infusionsoft.com. 600 IN A 126.96.36.199
Therefore, mail coming from
188.8.131.52 is defined as allowed by this SPF record.
ip4:184.108.40.206/22 ip4:220.127.116.11 ip4:18.104.22.168/28 ip4:22.214.171.124/29
These are IP addresses and IP ranges that are explicitly allowed by the SPF record. The IP ranges are listed in CIDR notation, defined in RFC 4632. The IP address from our example,
126.96.36.199, falls within the range specified by the
ip4:188.8.131.52/22 directive. Therefore, our example email passes SPF validation.
This tells the receiving mail server what to do with mail from
infusionmail.com that does not pass SPF validation. In this case, the SPF record requests that the receiving mail server reject all email from
infusionmail.com that does not pass validation.
We can see by looking at the email headers that SPF validation was successful for our example message:
Received: from mta-c-24-39.infusionmail.com (mta-c-24-39.infusionmail.com. [184.108.40.206]) by mx.google.com with ESMTP id c125si9817506pfg.356.2017.10.03.08.55.42 for <email@example.com>; Tue, 03 Oct 2017 08:56:33 -0700 (PDT) Received-SPF: pass (google.com: domain of firstname.lastname@example.org designates 220.127.116.11 as permitted sender) client-ip=18.104.22.168; Authentication-Results: mx.google.com; spf=pass (google.com: domain of email@example.com designates 22.214.171.124 as permitted sender) firstname.lastname@example.org
Do I need to set up SPF with Infusionsoft?
No. The HELO and MAIL FROM address used by Infusionsoft to deliver emails on your behalf is always
infusionmail.com. We handle the SPF for that domain name, so there is no need for you to set up an SPF record that authorizes our servers.
If I wanted to set up SPF anyway, how would I do so?
If you do not have an SPF record already, then you will need to create one. If you do have an existing SPF record, then you will need to modify it, as the SPF protocol only supports having one record published. This guide walks you through configuring your SPF record: