What is an SPF Record and Why Do I Need One?

Posted by Jared Wilcox

How We Got Here

Recently we ran into some issues submitting ADF leads from one of our websites to a DealerSocket CRM. Sometime in November, something on their servers changed and an SPF record was required to submit leads. Unfortunately DealerSocket didn’t inform us or the dealer of this change and it lead to a large number of missed leads for the dealer. We have never needed to use an SPF record so we needed to do a little research and some trial-and-error. We thought we would share our experience to help other dealers in need.

What is an SPF record?

SPF stands for Sender Policy Framework. An SPF record tells a mail server that receives an e-mail that the sender is allowed to send e-mails on behalf of the domain name in question. So for example, if you wanted to use mail-sender.com to send an e-mail on behalf of example.com, then the DNS settings for example.com should feature an SPF record stating so. In our case we want to tell the DealerSocket CRM e-mail server that WP Engine (our host server) is allowed to send e-mails on behalf of a dealer website, which we will call HondaDealer.com from here on.

Do I Need an SPF Record?

In most cases you do not need an SPF record. If you were sending ADF notifications to a normal e-mail address (Gmail, Yahoo, Hotmail, etc.) then you would not need an SPF record. The challenge we ran into was when sending ADF notifications from a client website to a DealerSocket CRM to capture leads, the DealerSocket CRM mail server would parse the notification and look for an SPF record in the DNS records for HondaDealer.com to ensure that WPEngine.com was allowed to send e-mails on its behalf. The CRM e-mail server checks for an SPF record for security purposes, and also most likely to combat spam submissions to their e-mail server. NOTE: not all CRMs require an SPF record, and this was actually the first time we encountered this requirement.

The Failure Record From DealerSocket

Event: rejected rejected
User: -remote-
Domain:              
Sender: noreply@hondadealer.com
Sent Time: Dec 20, 2018 7:40:07 AM
Sender Host: mail-183-212.wpengine.com
Sender IP Address: 23.212.183.212
Authentication: unauthorized
Spam Score: 0
Recipient: webleads@hondadealer.dsmessage.com
Delivery User: dsmess5
Delivery Domain: hondadealer.dsmessage.com
Delivered To:    
Router: reject
Transport: **rejected**
Out Time: Dec 20, 2018 7:40:07 AM
ID: 1ga0RC-0003Ex-Pz
Delivery Host: mail-183-212.wpengine.com
Delivery IP Address: 23.212.183.212
Size: 0 bytes
Result: Sender verify failed

The SPF Record

Our SPF record looks like this:

v=spf1 mx a ip4:23.212.182.0/23 a:mail.hondadealermail.com include:wpengine.com ~all

So what does it all mean?

v=spf1

This defines what version of SPF we are using. For now, this should always be v=spf1, as in version equals SPF 1. Currently there is no other version of SPF.

mx a ip4 include

These are mechanisms which define which IP addresses are allowed to send e-mail on behalf of the dealer domain in question. So ‘mx’ and ‘a’ are telling the receiving server to look up the ‘mx’ and ‘a’ records attached to the domain that is sending the e-mails, not the sending server, but the domain used in the from e-mail address for the ADF notification.

~all

This is another mechanism that tells the receiving server how to handle mail that doesn’t fit the previous mechanisms. In this case the ‘~’ means soft fail and ‘all’ indicates to give everything else a soft fail.

ip4:23.212.182.0/23

A Range of IP Addresses

You will likely need to include a range of e-mail addresses. In the case above, we are telling the receiving server to allow mail from a range of IP Addresses from 23.212.182.0 – 23.212.183.255. That covers 512 different IP addresses. To avoid drawing you into a long explanation of how this works and why, I will just refer you to ipaddressguide.com. Experiment with and change the ‘/23’ to ‘/24’ and other values to see how this changes your range. Note that a lower number increases your range. You want to keep your range as tight as possible to make it harder for others to attempt to send notifications to the CRM from their own IP address.

The reason for this is, our host uses various servers to handle sending mail out from our websites. All of these servers fall into the range of IP addresses that we are using.

If your website, or host, uses only one IP address for this, then you can omit the ‘/23’ and just put in the exact IP address.

a:mail.hondadealermail.com

This one is only required in a specific case. In our case, the website domain is HondaDealer.com. However, HondaDealer.com is not actually used for e-mail addresses by the dealer, so there is no ‘mx’ record in the DNS settings for this domain. They use a dealer group domain name for all of their actual e-mail addresses. Since HondaDealer.com isn’t actually setup as a mail server, the DealerSocket CRM flagged that immediately. So, first we had to change the from e-mail address on our leads to use the group domain, which we will call HondaDealerMail.com. So, with the mechanism above, we are telling the receiving server to accept mail from ‘mail.hondadealermail.com,’ When the DealerSocket CRM pulls the ‘mx’ record for HondaDealerMail.com it will then get a valid response.

include:wpengine.com

Finally, we need to tell the receiving server at DealerSocket to allow WPEngine.com to send e-mails on behalf of HondaDealerMail.com. This is because our WordPress websites are hosted on WP Engine and all notifications including leads are sent by their servers.

Wrapping It Up

So the whole record states that this is SPF version 1 record, to use the ‘mx’ (mail) and ‘a’ (domain name) mechanisms, include IP addresses using the IP4 protocol over the range defined above, accept mail from mail.hondadealermail.com, allow wpengine.com to send this mail, and soft fail all other submissions.

A More Simple Example

Let’s say you are sending mail from your dealer domain, we will call ExampleDealer.com. You only send e-mail from this domain, the server only uses a single IP address (we will say it is 192.168.1.1), and mail is sent directly from this IP address and your domain. Your SPF record would look like this:

v=spf1 mx a ip4:192.168.1.1 a:mail.exampledealer.com ~all

Important Note

This record, must be entered into the DNS settings for your domain as a TXT record.

That’s it! I hope that helps and thank you for reading. For more information about SPF records, please refer to DNSimple.com. If you have any questions, please feel free to contact us at 480.360.6000.