Prevent Emails From Being Delivered to Spam With SPF

Combining Google Workspace’s secure-by-design architecture with Gmail’s built-in spam, phishing, and malware protection prevents 99.9% of malicious messages from entering your users’ inboxes.

You might be thinking, “that’s great, but how can I prevent our outgoing emails from going to spam?”

That’s where SPF comes in.

Do you have an SPF record? 🚨

SP-what? 🤔

Sender

Protection

Framework

Without an SPF record, recipient mail servers are unable to authenticate whether your outgoing emails are being sent from an authorized source.

Domains that send email risk poor deliverability - dramatically increasing the chances of their outgoing mail being labeled as spam, potentially malicious, or being outright rejected by recipient mail servers.

Worse, they leave the door wide-open for third parties to spoof (or impersonate) their domain to:

• Launch phishing attacks 🎣

• Distribute spam, malware or ransomware ☣️

• Run social engineering scams against customers or employees 💸

An accurate SPF record helps administrators ensure that recipient mail servers can confirm the authenticity of mail sent from your domain.

In other words: 👏🏼 100% 👏🏼 of companies need an SPF record to help optimize email deliverability, protect their brand and domain reputation. Every Rise Digital Google Workspace client is set up with an SPF from day one ☝🏼

How does SPF help improve email deliverability and security?

SPF specifies the servers (IP addresses) and domains (e.g. google.com) that are authorized to send email on behalf of your organization.

Upon receiving mail from your domain, recipient mail servers will compare the outgoing mail server to the list of authorized servers and domains listed in your domain’s SPF record.

Mail that pass SPF are more likely to be delivered to inboxes.

Mail that fail SPF are more likely to be delivered to spam, labeled as malicious, quarantined, or rejected.

How do I enable SPF?

There are four (4) steps to enabling SPF.

1. Identify authorized mail senders

Identify and build a list of all domains and IP addresses who send mail on behalf of your domain, including all users and services (such as applications, email marketing platforms, websites, on-premise and cloud-based servers, etc).

2. Define your SPF record

Your SPF record specifies which domains and IP addresses are authorized to send email on behalf of your domain.

Once your SPF record is in place, mail sent by domains and IP addresses not listed in your SPF record will be marked as spam or potentially malicious, and could even be quarantined or rejected.

To avoid potential disruption to mail flow, it’s important to ensure your SPF record includes all authorized domains and IP addresses.

A basic SPF record looks like this:

v=spf1 include:_spf.google.com ~all

… where include:_spf.google.com permits Google Workspace servers to send mail on behalf of your domain, and ~all permits mail sent by non-Google Workspace servers to be delivered, but marked as spam or potentially malicious.

A more advanced SPF record that includes additional domains and IP addresses looks like this:

v=spf1 ip4:192.168.0.0/16 include:_spf.google.com include:sendyourmail.com ~all

… where ip4:192.168.0.0/16 permits servers using a range of IP addresses and include:sendyourmail.com permits a third-party service sendyourmail.com to send mail on behalf of your domain.

Sender Protection Framework (SPF) includes a number of additional mechanisms and qualifiers you can use to refine your SPF record to tell receiving mail servers how to handle messages sent using your domain.

3. Add your SPF record to your domain registrar’s DNS console

To implement your initial SPF record:

1. Sign into your domain registrar’s DNS console

2. Verify that no existing SPF record exist (only one SPF record is allowed)

3. If an existing SPF record exists, edit it. Otherwise, create a new TXT record as follows:

Name: @ (or blank)

Value: v=spf1 include:_spf.google.com ~all (or whatever SPF record you defined in step 2, above)

TTL: Default (or 60 minutes, or 3600 seconds

4. Monitor mail deliverability

Once SPF has been implemented, monitor for outgoing messages that:

• Fail SPF authentication

• Get rejected by recipient mail servers

• Are delivered to spam

Any of the above indicate either an error in your SPF record, duplicate SPF records, or that an authorized sender (domain or IP address) is missing from your SPF record.

If this happens, correct the error in your SPF record, and continue monitoring outbound mail.

You can also check the headers of messages sent from your domain to learn if messages are passing SPF. To check message headers in Gmail, click Show original for a message, then check the SPF status in the original message. 

5. Implement DKIM and DMARC to further strengthen email security

SPF works alongside two additional email security protocols to optimize mail deliverability while preventing spam, spoofing, phishing and more.

• Domain Keys Identified Mail (DKIM) adds a digital signature to every outgoing message, which lets receiving servers verify the message actually came from your organization, and wasn’t modified in transit.

• Domain-based Message Authentication, Reporting and Conformance (DMARC) sends you reports containing the source (servers and domains) of messages sent using your domain, what percent of messages fail SPF and DKIM, and advises recipient mail servers what action to take on messages sent by unauthorized senders: Deliver, deliver to spam, or reject.

It’s critical that 100% of companies implement SPF, DKIM and DMARC to protect their brands and domain reputations. Every Rise Digital Google Workspace client is set up with a strong SPF, DKIM and DMARC policy from day one ☝🏼

Congratulations! 🥳

With SPF implemented, your organization will enjoy improved email deliverability and greater email security.