How to article
Email Security: Cloudflare SPF Record
Email is such a big part of our daily communication, easily becoming the primary channel for individuals, businesses, and organizations to exchange information and perform transactions. With this, it has also become a target for cyber security threats such as phishing, spoofing, spam, and other malicious attacks. That is why it is more important than ever to implement email authentication protocols to protect and monitor your email health. Here is where SPF (Sender Policy Framework) records come into play. It is your first line of defense in email security. Get started with adding a Cloudflare SPF record to your DNS.
What is a Cloudflare SPF Record?
A Sender Policy Framework (SPF) record is a type of DNS TXT record. SPF is an email authentication protocol that protects your email from spam, spoofing, and phishing attacks. By adding an SPF record to your DNS (Domain Name System), you provide a list of senders authorized to send emails on behalf of your domain. Receiving mail servers can then authenticate if the email sent is from a legitimate source and was given permission to send it on your domain’s behalf.
Is having a Cloudflare SPF Record absolutely necessary?
The simple answer is no. You can still send emails without configuring your SPF record. However, having a SPF record comes with its perks; it assures ISPs that the emails are coming from a trusted source, increasing your chances of landing in the inbox.
SPF was launched to combat the limitations of SMTP (Simple Mail Transfer Protocol), which does not authenticate the “from” address of an email. With SMTP, it checks to see if the email address is valid, and no added validation is needed. With that being the case, any malicious party can impersonate your employer, accountant, bank, or anyone else and manipulate you to share sensitive information you would otherwise not disclose.
It is important to note that SPF is not alone in the fight against these bad actors. In addition to SPF, email authentication tools like DMARC (Domain-based Message Authentication, Reporting, and Conformance) and DKIM (DomainKeys Identified Mail) all work together to protect your domain and prevent email security attacks.
How does a Cloudflare SPF Record work behind the scenes?
An email is sent by the sending mail server. The receiving mail server takes the return path domain and searches for its SPF record. The server then checks to see if the sender is on the domain’s list of authorized senders. If the sender passes the check, it continues to deliver the email; otherwise, the email is deemed suspicious and rejected.
What exactly is the receiving server checking for?
The receiving server checks to see if the IP address found on the sender matches the IP address listed in the SPF record.
What does a Cloudflare SPF Record look like?
Here is an example of an SPF Record:
v=spf1
Tells the server the version of the SPF record and that the SPF record exists.
Ip4:192.0.2.1 and ip4:192.0.2.2
Lists of authorized IP addresses to send emails on behalf of the domain.
-all
Tells the server to reject messages from senders not listed in the SPF record. The all mechanism has a fail qualifier (-).
How can I add a Cloudflare SPF Record?
Before adding your SPF record to CloudFlare, make sure you first generate an SPF record. You can easily lookup and generate SPF records on EmailGuard.
- Login to your CloudFlare
- Select the domain you would like to add the SPF record to, and select the DNS tab.
- Click the “Add Record” button on your DNS Records page.
- Select the TXT record type.
- Set the name t0 @
- Enter your SPF record in the content field.
- Click the “Save” button to save your changes.
Now you are all set and have added your SPF record to CloudFlare.
Let’s take a look at SPF record mechanisms:
| Mechanism | Description |
|---|---|
| v |
Stands for the SPF version. This is a mandatory tag and should always be the first tag in the SPF record.
Ex. v=spf1 |
| ip4 |
These are the authorized IPv4 addresses to send emails. Any emails sent from any of the IPv4 addresses listed should pass the SPF authentication check.
The values can be an IPv4 address or a range. Ex. ip4:192.0.2.1 or ip4:192.0.2.1/24 |
| ip6 |
These are the authorized IPv6 addresses to send emails. Any emails sent from any of the IPv6 addresses listed should pass the SPF authentication check.
The values can be an IPv6 address or a range. Ex. ip6:3FFE:0000:0000:0001:0200:F8FF:FE75:50DF or ip6:2001:db8:1234::/48 |
| a |
These are authorized mail servers by domain name.
Ex. a:example.com |
| mx |
These are authorized mail servers by domain MX record. If you do not include this in your SPF record, it defaults to the MX record of the current domain being used. Ex. mx:mail.example.com |
| include |
These are authorized third-party email senders by domain.
Ex. include:mailchimp.com |
| all |
This means that all inbound messages must match. It is recommended to include this mechanism in your SPF record.
Important note: This must be the last mechanism in your SPF record, any mechanism after this will be ignored. The qualifiers:
Recommendation: for domains that do not send emails, use the following SPF record: v=spf1 -all This will ensure that no IP addresses or domains are authorized sources for this domain. All emails should be rejected. This will protect your domain from spoofing attacks. |
Let’s take a look at SPF Record qualifiers.
The four qualifiers are:
| Qualifier | Description |
|---|---|
| + |
Authentication passed. If the IP address matches, it is authorized to send messages on behalf of the domain.
It tells the server to accept messages from addresses that pass the test. |
| - |
Authentication failed. If the IP address is not a match, it is not authorized to send messages on behalf of the domain.
It tells the server to reject the messages from addresses that failed the test. |
| ~ |
This represents Softfail authentication. It means that the authentication likely failed, and the IP address is not authorized to send messages on behalf of the domain.
However, it will accept the message but treat it as suspicious. |
| ? |
This represents Neutral. It means it neither passes nor fails authentication.
This can be because the SPF record does not declare the IP addresses authorized to send messages on behalf of the domain. However, it will accept the message but treat it as suspicious. |
Improve email security with a Cloudflare SPF Record
Including SPF records in your DNS will ensure only authorized senders are able to send messages on behalf of the domain. By doing so, receiving servers will cross-check to authenticate if the email is sent by an approved source that is on your list.
Improve email deliverability with a Cloudflare SPF Record
Without an SPF record, the chances of your email landing in the inbox become unlikely, while increasing the likelihood of bounces or being marked as spam. This can prevent individuals and businesses from reaching their target audience, employees, and other important stakeholders.
Increase domain credibility with a Cloudflare SPF Record
An SPF record will restrict unauthorized senders from spoofing your domain and flagging your messages as spam. This will protect your domain from bad actors trying to impersonate you or your business.
Although a Cloudflare SPF record is not mandatory, it is important to note that having an SPF record on your DNS will protect your domain, increase email security, and improve deliverability. A Cloudflare SPF record will decrease your chances of receiving malicious messages, helping legitimate messages reach your inbox. Not only does it protect you, but it also increases your domain’s credibility by restricting the sending of emails to only authorized IP addresses. Protect your domain and add an SPF record to your Cloudflare account. SPF records act as the first line of defense in your email authentication and security protocol. For complete security, use email authentication tools like SPF, DKIM, and DMARC to protect your domain and prevent email security attacks.
Everything you need to power up your email game in one place.
Start now for free. No credit card required.