Sender Policy Framework Records (SPF)

This is technical documentation designed for users familiar and comfortable with making changes to DNS settings.

What Are Sender Policy Framework (SPF) Records

Sender Policy Framework (SPF) records tell email services and applications what domains and IP addresses are allowed to send email on behalf of your website. This limits the ability for spammers to impersonate emails and weighs into whether a message will get flagged as spam or placed in the inbox. If your website is going to send email, no matter where it is hosted, an SPF record is a must.

Managing SPF Records

To add an SPF record, you will need to get your domain’s DNS administrator to add or update a TXT (text string) DNS entry. Many site owners manage their DNS records at the same place that they registered the domain name (website address).

Ease of managing SPF records will vary depending on your DNS provider. Some DNS management tools may have a wizard to help you correctly format your SPF record, but most simply need to have a TXT record created.


MODX Cloud Exclusively Sending Email

While we highly discourage this practice—you should use an ESP to maximize email deliverability—some sites may rely on MODX Cloud for emails during development or for internal utility sites that can be whitelisted for delivery. In this case, here's an example of a TXT DNS record you would create:

v=spf1 a -all

Note that in the example above, if you have other uses for email, like your company’s inbound email, it would not be allowed, per the SPF record. In fact, anything that did not come from the IP address should be rejected. If you wanted to add your inbound email servers, also, and loosen the rules for possible other servers—~all instead of -all—while still discouraging them, you would use the following SPF record:

v=spf1 a mx ~all

Adding MODX Cloud to an existing SPF record

Most domains already have SPF records in place. In this case, you would add MODX Cloud as an allowed sender. Here is an example existing record before MODX Cloud being added:

v=spf1 mx ~all

The above record allows email to be sent from the server(s) specified in its MX records and from Mandrill, a transactional email ESP. You are using an ESP, right?

Here it is with MODX Cloud added:

v=spf1 a mx ~all

Note the addition of a. According to the SPF documentation:

All the A records for domain are tested. If the client IP is found among them, this mechanism matches.

SPF Record Limits

The SPF specification has a limit of 10 DNS lookups per SPF record file. If you create an SPF record that exceeds this limit, it will cause problems for deliverability. From the specification:

SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier. If this number is exceeded during a check, a PermError MUST be returned. The "include", "a", "mx", "ptr", and "exists" mechanisms as well as the "redirect" modifier do count against this limit. The "all", "ip4", and "ip6" mechanisms do not require DNS lookups and therefore do not count against this limit. The "exp" modifier does not count against this limit because the DNS lookup to fetch the explanation string occurs after the SPF record has been evaluated.

SPF Wizards and Validation Tools

After configuring an SPF record you should test them to ensure they're trouble-free. In addition, you may wish to use a tool to help configure your SPF record in the first place.

Further Reading

You can learn more about SPF records in all the technical details in the Introduction to SPF article.

Have more questions? Submit a request


Please sign in to leave a comment.