As we’ve been working through migrating email delivery from Barracuda ESS to Proofpoint, one of the issues that pop up would be in regards to SPF records. I figured I’d give a quick overview about how SPF records work and why this could be an important issue.

SPF records are TXT records in DNS. These records are intended so that you can publish which mail servers are authorized to send email on your domain’s behalf. The way it works is this:

  1. sends email to
  2. email server looks up MX records for to route the email to the appropriate receiving mail server or spam filter
  3. spam filter accepts the connection and performs an SPF record lookup
    1. The spam filter requests all TXT records for
    2. The spam filter analyzes the response for a TXT record that contains a line similar to “v=spf1 …”
    3. The spam filter checks to see if the email server IP address is listed in the TXT record response.
      1. If Yes, the email is accepted and processed as expected
      2. If No, the email is rejected with an NDR

SPF records are used to help mitigate phishing and spoofed messages. If you receive an email from saying you owe a huge bill (“Click here to log into your account and pay”), an SPF record could help prevent you from receiving that phishing attempt because the actual sender wouldn’t be authorized to send email as

The downside is that this truly depends on the recipient checking SPF records. You as a sender can do absolutely nothing, other than creating the TXT record, to force SPF checking on anyone. But if you have the record available, then you can be better protected. It takes very little time and is a worthwhile thing to set up.

When creating an SPF record, there are many tools online to help you format it properly. The biggest thing is to make sure that the final mail server sending your email is listed in the record.