SPF (Sender Policy Framework) allows the owner of a domain to specify which mail servers they use to send mail from

that domain.


An organization sending mail publishes an SPF (TXT) record in the Domain Name System (DNS). The record contains a list of IP addresses that are authorised to send mail on behalf of their domain name.


Receivers of mail verify the SPF record by looking up the “Envelope From” (aka Mail From, Mfrom or return-path) domain name in the DNS. If the IP address sending mail on behalf of this domain is not listed in the SPF record, the message fails SPF authentication.


Configuring an SPF record for you domain is a real good idea and will help the deliverability of your e-mail message.  If there is no an SPF record configured for your domain, then receivers will generally fail safe and accept your email (although that's starting to change). As soon as you provide an SPF record you must include all legitimate mail senders, because otherwise the ones not listed could be treated as possible forgery sources.  


In the following example, Healthy Care Services is has an SPF record in the following format;

v=spf1 include:spf.messaging.microsoft.com -all

In order to authorize EntrustedMail  to deliver messages for healthycareservices.com, the SPF record for healthycareservices.com will need to be modified to include EntrustedMail's SPF record.   


By editing the current SPF record by adding include:spf.entrustedmail.net you are authorizing EntrustedMail to deliver mail for your domain.  The following is what the edited SPF record for healthycareservices.com would like after they authorize  Entrustedmail to deliver mail from their domain.


v=spf1 include:spf.messaging.microsoft.com include:spf.entrustedmail.net -all

A few caveats to avoid;


  • Be sure to place the include statement (include:spf.entrustedmail.net) before the ending operand which is usually -all
  • A valid SPF record can contain 10 or less DNS lookups.  
  • Be sure  that there is no more than one white space between statements in your SPF record.  For instance, if you have two spaces (rather than one) between the include:spf.entrustedmail.net and -all, the SPF record may fail validation.


    If you are unsure of how many lookups your SPF record current includes, Kitterman Technical Services has a great tool for verifying the structure of you SPF record. You can reach this tool by pointing your browser to https://www.kitterman.com/spf/validate.html