SPF Record Checks: How to Check SPF Records and Why You Should

Learn why Top Industry Analysts consistently name Okta and Auth0 as the Identity Leader

An SPF record check helps you reduce the risk of spoofing, lost email messages, and reputation problems. Several organizations offer SPF checker tools, and most are free.

The SPF (or sender policy framework) is a method companies use to publish a list of authorized IP addresses that can send email. 

During an SPF test, you will:

  • Look up. Do you have an SPF record associated with your domain?
  • Test. Are there errors that keep email from hitting inboxes?
  • Learn. Are you following best practices regarding record setup and execution?

Most business owners consider SPF record checks vital communication tools. If you talk with customers or prospects via email, you want your notes to hit valid inboxes and not spam filters.

But these tests can reduce crime too. For example, a company in New Hampshire was hit with two spoofing attacks in one year and paid more than $2 million to thieves. Spoofing made that possible. The more you run SPF record checks, the harder you make a criminal's job.

What records can you validate with an SPF check?

Many companies offer free SPF record checks. Each one works differently. Before you choose one, look over what it can do and how it works.

For example, Dmarc Analyzer has an SPF checker tool. It analyzes:

  • SPF record existence. Do you have an SPF record?
  • Multiple SPF records in DNS. Do you have multiple SPF records? That's not allowed.
  • PTR mechanism used. Are you using PTR? That's an old format, and it could keep your email from getting through.
  • Unknown parts found. Are you using unauthorized code not found in the SPF specification?
  • All mechanisms used. Are you using the mechanism "all" with a plus-sign qualifier? Anyone could send email on your behalf with this setup.
  • Invalid macro. Are you using macros that aren't valid?
  • Record termination missing. You should always have a fallback position.
  • Multiple fallback scenarios. Do you have too many backup plans?
  • DNS type SPF used. This old format isn't recommended.
  • Uppercase SPF. Are you placing uppercase letters in your SPF record?

Developers made decisions with this tool. You may not agree with all of them. For example, you may believe the PTR mechanism is just fine for your company.

Reports don't change your setup or your code. Use them to help you understand what's happening, and act on the things that make sense to you.

But if you disagree with all of the rulings within the tool, remember that others are available. Choose a different version for your next test.

We mentioned email spoofing in this article. If you're not sure what this hacking method is or how it works, check out our blog post on the topic.

References

SPF Record Checker. Dmarc Analyzer.

$2.3 Million Theft via Email Is an Example of a Problem So Common It Has an Acronym: BEC. (August 2021). Concord Monitor.