What are the best practices for SPF records and avoiding CNAMES for email authentication?

Summary

Establishing best practices for SPF records, while avoiding CNAMES, is vital for secure and successful email authentication. SPF records, configured as TXT records within DNS, authorize mail servers, preventing spoofing. The correct syntax of SPF records is crucial for validity and proper functionality, using terms like 'v=spf1', 'ip4:', and 'include:'. It's recommended to carefully assess all email sources for inclusion in the SPF record. A consensus exists that using CNAMES should be avoided, in favor of A or AAAA records, because of security and management implications. Regularly review and update SPF records to account for infrastructure or service changes. Experts recommend SPF flattening and diligently managing 'include' mechanisms to remain within the DNS lookup limit of 10 and avoid evaluation failures. Furthermore, testing using validation tools to assess SPF syntax and DNS lookups is crucial. For comprehensive security, implementing DMARC in conjunction with SPF is recommended.

Key findings

  • No CNAMES: CNAME records should be avoided in SPF configurations.
  • Authorizing Mail Servers: SPF Records are TXT records within DNS that authorize mail servers.
  • Limit Includes: Limit the amount of includes to comply with DNS lookup limits.
  • Record Validation: Testing and validation are essential for checking record syntax and DNS lookups.
  • Implement DMARC: Implement DMARC in conjunction with SPF.
  • Correct Syntax: Correct syntax of SPF records using terms like 'v=spf1', 'ip4:', and 'include:' are crucial for validity and proper functionality
  • Assess Email Sources: Carefully assess all email sources for inclusion in the SPF record.
  • Updating SPF Records: Regularly review and update SPF records to account for infrastructure or service changes.

Key considerations

  • Complexity: When managing SPF records, there are complexities, and careful consideration and ongoing management is crucial to mitigate issues.
  • DNS Lookups: Carefully manage includes and SPF flattening due to DNS lookup constraints.
  • Regular Audits: Ongoing regular audits of SPF Records are crucial.
  • Testing and Validation: Use testing and validation throughout.

What email marketers say
9Marketer opinions

Best practices for SPF records and avoiding CNAMES revolve around maintaining accurate, validated, and well-structured SPF records to ensure proper email authentication and deliverability. Key aspects include avoiding unnecessary inclusions, keeping records updated, utilizing subdomains effectively, testing records, and understanding the limitations of SPF alone, often requiring DMARC for full protection. Avoiding CNAMES is a consensus and is generally invalid.

Key opinions

  • Avoid Bloat: Avoid blindly including ESP domains in SPF records if they aren't used in the return-path, as this can lead to unnecessary bloat.
  • Limit Includes: Limit the number of 'include' mechanisms to stay within the DNS lookup limit, which exceeding it can cause SPF checks to fail.
  • No Multiple Records: Do not have multiple SPF records for a domain, as this invalidates the record.
  • Subdomain Segregation: Using subdomains for different email purposes (e.g., marketing vs. transactional) and separate SPF records allows for granular control.
  • Audit Third-Parties: When using the 'include:' mechanism for third-party senders, ensure they are reputable and regularly audit them for validity.
  • CNAMEs are invalid: Avoid using CNAME records directly in an SPF record; instead, use A or AAAA records.
  • SPF Limitations: SPF only authenticates the 'MAIL FROM' address and doesn't protect the 'From:' header; DMARC is needed for full protection.
  • Testing is Important: Always use SPF record validation tools to test the syntax for errors, as well as the DNS lookups.
  • Keep them updated: Keeping your SPF records up to date when using third party senders will ensure deliverability.

Key considerations

  • DNS Lookup Limit: Be mindful of the DNS lookup limit (typically 10) when configuring SPF records, as exceeding this limit can cause issues.
  • PTR Mechanism: Avoid using the 'ptr' mechanism due to its unreliability.
  • Regular Audits: Regularly review and update SPF records to reflect changes in sending infrastructure and third-party relationships.
  • Tooling: Ensure to use an SPF syntax validator tool to check your syntax for errors, as well as the DNS lookups.
  • DMARC: Consider DMARC to cover the limitations of SPF
Marketer view

Email marketer from Email on Acid recommends using tools to test your SPF records. A good tool is able to help you avoid common mistakes, and gives an output of the SPF including if it is valid.

March 2025 - Email on Acid
Marketer view

Email marketer from SparkPost warns against common SPF mistakes, such as having multiple SPF records (which invalidates the record) and using the 'ptr' mechanism (which is unreliable). They emphasize the importance of testing your SPF record.

October 2022 - SparkPost
Marketer view

Email marketer from Gmass recommends keeping your SPF records up to date. When using a third party service to send emails, they often change IP addresses. These changes would then need to be reflected in your SPF to ensure that your email gets the best chance of reaching the inbox.

July 2021 - Gmass
Marketer view

Email marketer from StackOverflow warns against using CNAME records directly in an SPF record. A direct CNAME is invalid. Instead they advise using A or AAAA records to point to the specific IPs of the sending server, which is more secure and straightforward.

May 2021 - StackOverflow
Marketer view

Email marketer from Reddit recommends using the 'include:' mechanism for third-party senders but ensuring they are reputable. They suggest regularly auditing these includes to ensure they are still valid and necessary. Also to check the lookups to ensure you are under 10.

November 2021 - Reddit
Marketer view

Email marketer from EmailGeek Forum mentions that SPF only authenticates the 'MAIL FROM' address (return-path) and doesn't directly protect the 'From:' header, which users see. To fully protect your domain, you need DMARC.

July 2024 - EmailGeek Forum
Marketer view

Email marketer from EasyDMARC recommends using subdomains for different email purposes (e.g., marketing vs. transactional) and creating separate SPF records for each subdomain. This allows for more granular control and reduces the risk of one compromised service affecting all email.

June 2021 - EasyDMARC
Marketer view

Email marketer from Email Geeks says that ESPs telling clients to blindly update their org SPF to include their domain irks them especially when the domain isn't even used in the return-path as DNS records then sit with all this bloat that can be problematic now or in the future.

June 2024 - Email Geeks
Marketer view

Email marketer from Mailjet recommends limiting the number of 'include' mechanisms in your SPF record to avoid exceeding the DNS lookup limit. They also suggest regularly reviewing and updating your SPF record to reflect changes in your sending infrastructure.

April 2024 - Mailjet

What the experts say
5Expert opinions

Experts emphasize the importance of carefully managing SPF records for email security and avoiding potential issues. Key practices include avoiding the use of CNAMEs, regularly auditing SPF configurations, and using dedicated IPs for more secure publishing. SPF is critical, but often misconfigured. It's vital to understand the implications of each mechanism included in the record. Readily available online validators should be used to check for syntax errors and DNS lookup issues.

Key opinions

  • Avoid CNAMES: Experts recommend avoiding CNAMEs in SPF records due to potential security and management issues.
  • Secure Publishing: For dedicated IPs, the most secure method is to publish those IPs directly in the SPF record.
  • Regular Audits: Regularly audit SPF records to ensure they are correctly configured and reflect current sending practices.
  • Validator Tooling: Use online SPF validator tools to check syntax and DNS lookup counts to catch problems early.

Key considerations

  • Provider Convenience: While CNAMEs are easier for providers to manage, they may introduce security risks.
  • Shared IPs: For shared IPs, verify the use of a dedicated return path domain before including shared IPs in the SPF record.
  • Mechanism Implications: Carefully consider the security implications of each mechanism included in the SPF record.
Expert view

Expert from Email Geeks explains CNAMES are easy for the provider to manage, meaning they don't have to keep bothering their users to update things if the provider needs to be moving things around.

April 2024 - Email Geeks
Expert view

Expert from Email Geeks started recommending NOT using CNAMES a few years ago to avoid potential problems and asking for trouble. This situation is worse than anticipated.

May 2023 - Email Geeks
Expert view

Expert from Word to the Wise explains that SPF is critical for email security, but it's often misconfigured. She recommends regular audits of your SPF records and understanding the implications of each included mechanism.

October 2024 - Word to the Wise
Expert view

Expert from Spam Resource states that you should use readily available online SPF record validators to check your syntax for errors. Some validators also perform DNS lookups and check the total number of lookups which can help highlight potential problems.

September 2023 - Spam Resource
Expert view

Expert from Email Geeks shares that for dedicated IPs, the secure way is to publish those IPs. For shared IPs, the secure way is to see if you're actually mailing with a dedicated return path domain, and if so you can do a record with the shared IPs.

July 2022 - Email Geeks

What the documentation says
5Technical articles

SPF records, implemented as TXT records in DNS, are critical for authorizing email sending servers and preventing spoofing. Proper syntax (e.g., 'v=spf1', 'ip4:', 'include:', '-all') is essential. You should evaluate all sending sources and include them in the record. It is important to keep your record simple and test it. SPF flattening is a strategy used to consolidate 'include' statements and avoid exceeding the DNS lookup limit of 10, beyond which SPF checks may fail. RFC 7208 defines the official SPF syntax and mechanisms.

Key findings

  • SPF Syntax: SPF records are TXT records with specific syntax and qualifiers.
  • Prevent Spoofing: SPF records help prevent email spoofing.
  • Evaluate Sending Sources: Evaluate and include all sending sources in your SPF record.
  • SPF Flattening: SPF flattening helps consolidate includes to avoid DNS lookup limits.
  • DNS Lookup Limit: Exceeding the DNS lookup limit can cause SPF checks to fail.
  • Testing is important: Always test your SPF record

Key considerations

  • DNS Lookup Limit: Be aware of the DNS lookup limit of 10 and employ SPF flattening if needed.
  • RFC 7208: Refer to RFC 7208 for official SPF syntax and mechanism specifications.
Technical article

Documentation from Microsoft Learn shares that SPF records in Office 365 can help prevent spoofing. They note that you should evaluate all your sending sources and include them in your SPF record. They recommend starting with a simple record and testing.

November 2023 - Microsoft Learn
Technical article

Documentation from DMARC.org describes SPF flattening as a process to consolidate multiple 'include' statements within an SPF record to stay within the DNS lookup limit of 10. It is noted that exceeding this limit can cause SPF checks to fail.

June 2022 - DMARC.org
Technical article

Documentation from Google Workspace Admin Help explains that SPF records are TXT records in your DNS that authorize sending mail servers. The syntax includes version, terms, and qualifiers, such as 'v=spf1', 'ip4:' or 'include:', and '-all' to signify a fail.

July 2022 - Google Workspace Admin Help
Technical article

Documentation from RFC Editor (RFC 7208) specifies the official syntax and mechanisms for SPF records. It details how SPF works, including the use of 'a', 'mx', 'ip4', 'ip6', 'include', and 'all' mechanisms.

June 2021 - RFC 7208
Technical article

Documentation from Cloudflare explains that DNS lookups exceeding 10 can cause problems with SPF evaluation. Includes count towards this limit and using SPF flattening can help overcome this.

January 2022 - Cloudflare