Email Delivery: Cleaning up your SPF record

May 23, 2022 | 4 minute read
Dickie LaFlamme
Senior Deliverability Specialist
Text Size 100%:

When moving to a new email provider, setting up proper email authentication, reviewing, and cleaning up existing authentication before you get going is crucial for senders. It might be step one after getting your login credentials to your new email home.

A cartoon of a mail carrier with no letters and a mailbox full of cobwebs.

This blog focuses on how sender framework policy (SPF) plays in and provides a plan on how to review records.

A quick review of SPF

Like most providers, we strongly recommend the addition of both SPF and DKIM to DNS records, eventually adding DMARC when ready. At a high level, SPF’s initial purpose was to stop spamming in the early days of bulk and transactional sending. While a few different varieties of spamming exist, SPF provides proof to mailbox providers that the IPs used to send the email are authorized to send email on the sender’s behalf.

SPF protocol utilizes a DNS TXT lookup to show a value of the allowable outbound IPs to which the mail is being sent from their originating mail transfer agent (MTA).

SPF include records

This lookup can be a value of individual IPs or an include, which is a top-level indicator of whom you’re sending from and their IPs. Essentially, your IPs are hidden one layer deeper in the lookup.

Often, when sending from an email service provider (ESP) like OCI Email Delivery, they provide an include to insert in your TXT value, and then you’re ready to implement SPF.

Let’s look at a few examples of what these inclusions look like in a Terminal lookup:

dlaflamme$~dig dickielaflamme.com txt +short
"include:rp.oracleemaildelivery.com ~all"
"v=spf1 include:spf.dynect.net -all"

In this example, we can see that my domain has two lookup values on it: One from Dynect and one from OCI Emal Delivery. These includes are top-level lookups which show all the IPs contained in them when read by the provider.

Now, the include of “include:rp.oracleemaildelivery.com” looks like the following example one layer deeper:

dlaflamme$~dig rp.oracleemaildelivery.com txt +short

"v=spf1 ip4:10.144.155.128/26 ip4:129.148.164.0/25 ip4:129.148.215.0/25 ip4:129.149.6.0/25 ip4:129.149.38.0/25 ip4:138.1.170.0/24 ip4:147.154.32.0/25 ip4:147.154.63.0/24 ip4:147.154.126.0/24 ip4:147.154.191.0/24 ip4:162.88.24.0/21 ip4:192.29.72.0/25 " "ip4:192.29.88.0/25 ip4:192.29.103.128/25 ip4:192.29.134.0/25 -all"

Time for some cleanup

When you start to incorporate all the systems your domain can send out of, those includes start to add up. Some examples include third-party support ticket systems, customer relationship management (CRM) tools, and email providers like OCI Email Delivery.

The caveat with includes is that you’re only allowed 10 on your sending domain. When you exceed that number, your SPF record is considered broken, which can cause issues when you attempt to properly authenticate SPF.

With the following tips and tricks, you can get around this limit and ensure that you’re not breaking your record as you integrate with a new provider.

Use subdomains

If you have any services that send email, using subdomains is highly recommended. Because subdomains need their own authentication for SPF, their value is independent from the main domain. This separation ensures that your reputation stays with the stream of email you’re sending and prevents one from hurting the other if an issue occurs. You can use one subdomain for bulk and marketing email, one for transactional email, and one for triggered email. The case for separation is great with bulk and transactional email, especially.

Our team strongly recommends using subdomains if senders use a multivendor approach, sending from multiple ESPs. Separating how you send has many benefits, but building a reputation at a new provider is something you to do regardless of if that email was sent elsewhere or using a new subdomain. Regardless, the best choice is to utilize subdomains and build each sending reputation from scratch.

IP allocation

When sending from a provider like OCI Email Delivery, you might be using either primarily dedicated IPs, shared IPs, or a combination. So, you can always have an include from a sender like ours as part of your SPF record.

Some of our senders have asked us about putting the sending IPs in their SPF record or using an include. We don’t advise it, even if the sender is using dedicated IPs. Including our breadth of IPs for your region with an include allows for possible failover to occur. New IPs can also be added to shared pools for warming, which are automatically accounted for when using an include instead of inputting individual IPs.

Remove old lookups

When you switch providers or add a new one, you often leave your old includes in and forget about them. Over time, these remnants can build up, and we’ve often seen these issues result in broken SPF records.

Look at all your SPF lookups and review them to ensure that they’re still being used. If you aren’t sure what an include is tied to, ask around to validate what systems are using what and to build a review system so you always know what’s in your records. We recommend reviewing your includes twice a year.

Use a third-party system

Some third-party systems use macro settings that can bypass the 10-lookup limit and clean up an SPF record for a domain. These services are paid and require delegation to fully work. While they’re great, decide if the solution is needed for your company or not.

Conclusion

The 10-lookup limit for SPF isn’t the worst thing because it forces senders to keep their sending domains organized. If you’re encountering this issue, try to utilize some of the suggested fixes. They can enable your SPF’s accuracy by cleaning those records so that they’re fully authenticated, clearing the way for more email in the inbox.

Tools to check SPF

Dickie LaFlamme

Senior Deliverability Specialist

A Deliverability Geek by day and avid outdoor enthusiast..also by day. I work on OCI's Deliverability team for the Email Delivery product. I have many years of experience consulting with customers about their email programs and how to effectively deliver mail.


Previous Post

Thai conglomerate Forth Smart uses OCI, Autonomous Database, and Analytics to increase ad conversion rates by 3X

Akshai Parthasarathy | 5 min read

Next Post


OCI availability domains: Why sending email from different regions is a good thing

Dickie LaFlamme | 3 min read