What are the best practices for SPF records and avoiding CNAMES for email authentication?
Summary
What email marketers say9Marketer opinions
Email marketer from Email on Acid recommends using tools to test your SPF records. A good tool is able to help you avoid common mistakes, and gives an output of the SPF including if it is valid.
Email marketer from SparkPost warns against common SPF mistakes, such as having multiple SPF records (which invalidates the record) and using the 'ptr' mechanism (which is unreliable). They emphasize the importance of testing your SPF record.
Email marketer from Gmass recommends keeping your SPF records up to date. When using a third party service to send emails, they often change IP addresses. These changes would then need to be reflected in your SPF to ensure that your email gets the best chance of reaching the inbox.
Email marketer from StackOverflow warns against using CNAME records directly in an SPF record. A direct CNAME is invalid. Instead they advise using A or AAAA records to point to the specific IPs of the sending server, which is more secure and straightforward.
Email marketer from Reddit recommends using the 'include:' mechanism for third-party senders but ensuring they are reputable. They suggest regularly auditing these includes to ensure they are still valid and necessary. Also to check the lookups to ensure you are under 10.
Email marketer from EmailGeek Forum mentions that SPF only authenticates the 'MAIL FROM' address (return-path) and doesn't directly protect the 'From:' header, which users see. To fully protect your domain, you need DMARC.
Email marketer from EasyDMARC recommends using subdomains for different email purposes (e.g., marketing vs. transactional) and creating separate SPF records for each subdomain. This allows for more granular control and reduces the risk of one compromised service affecting all email.
Email marketer from Email Geeks says that ESPs telling clients to blindly update their org SPF to include their domain irks them especially when the domain isn't even used in the return-path as DNS records then sit with all this bloat that can be problematic now or in the future.
Email marketer from Mailjet recommends limiting the number of 'include' mechanisms in your SPF record to avoid exceeding the DNS lookup limit. They also suggest regularly reviewing and updating your SPF record to reflect changes in your sending infrastructure.
What the experts say5Expert opinions
Expert from Email Geeks explains CNAMES are easy for the provider to manage, meaning they don't have to keep bothering their users to update things if the provider needs to be moving things around.
Expert from Email Geeks started recommending NOT using CNAMES a few years ago to avoid potential problems and asking for trouble. This situation is worse than anticipated.
Expert from Word to the Wise explains that SPF is critical for email security, but it's often misconfigured. She recommends regular audits of your SPF records and understanding the implications of each included mechanism.
Expert from Spam Resource states that you should use readily available online SPF record validators to check your syntax for errors. Some validators also perform DNS lookups and check the total number of lookups which can help highlight potential problems.
Expert from Email Geeks shares that for dedicated IPs, the secure way is to publish those IPs. For shared IPs, the secure way is to see if you're actually mailing with a dedicated return path domain, and if so you can do a record with the shared IPs.
What the documentation says5Technical articles
Documentation from Microsoft Learn shares that SPF records in Office 365 can help prevent spoofing. They note that you should evaluate all your sending sources and include them in your SPF record. They recommend starting with a simple record and testing.
Documentation from DMARC.org describes SPF flattening as a process to consolidate multiple 'include' statements within an SPF record to stay within the DNS lookup limit of 10. It is noted that exceeding this limit can cause SPF checks to fail.
Documentation from Google Workspace Admin Help explains that SPF records are TXT records in your DNS that authorize sending mail servers. The syntax includes version, terms, and qualifiers, such as 'v=spf1', 'ip4:' or 'include:', and '-all' to signify a fail.
Documentation from RFC Editor (RFC 7208) specifies the official syntax and mechanisms for SPF records. It details how SPF works, including the use of 'a', 'mx', 'ip4', 'ip6', 'include', and 'all' mechanisms.
Documentation from Cloudflare explains that DNS lookups exceeding 10 can cause problems with SPF evaluation. Includes count towards this limit and using SPF flattening can help overcome this.