Home / / SPF authentication setup

SPF authentication setup

As of February 2024, Google and Yahoo have increased their enforcement of domain authentication. To avoid issues with email delivery, it’s crucial to complete DKIM and DMARC authentication for the sending domain you use to send emails.

For best deliverability results, we recommend adding our domain to your domain’s SPF record.

What is SPF?

Sender Policy Framework (SPF) is an email authentication method that specifies which IP addresses or servers are allowed to send emails on behalf of your domain. By verifying that an email is sent from an approved source, SPF helps prevent spoofing and reduces the likelihood of your emails being marked as spam.

SPF can only be set up for a domain that you own. Free email domains like @gmail.com do not support custom SPF settings.

Checking for SPF

If you’re not sure whether you already have our domain in your SPF record, you can easily find out right in your account. You must have DKIM set up before you can use this tool.

  1. Navigate to your Account > Deliverability tab.
    1. Parent account: Click on the gear icon in the upper right corner of your screen and choose Account from the dropdown menu.
    2. Subaccounts: Navigate to the appropriate subaccount and click on the gear icon in the upper right corner of your screen.
      1. If you are a Manager or Parent user, scroll down to Subaccount settings and choose Account from the dropdown menu.
      2. If you are an Administrator user, choose Account from the dropdown menu.
    3. Standalone accounts: Click on the gear icon in the upper right corner of your screen and choose Account from the dropdown menu.
  2. On the next screen, click on the Deliverability tab.
  3. Scroll down to the section that says SPF status check.
  4. Click on the Check SPF status button.

If you have added our domain to your SPF record, you’ll see a green pill icon that says Pass. If you have not added our domain to your SPF record, you’ll see a red pill icon that says Fail. If you do not have an SPF record, you’ll see a red pill icon that says No SPF record found.

If your SPF record is flattened or hidden from public lookup, our system cannot check your SPF record and will return the red pill icon that says Fail. If you have questions about this, please reach out to your IT team for assistance.

Setting up SPF

SPF setup requires adding a TXT record in your DNS settings that includes a list of IP addresses authorized to send on your domain’s behalf. There are many ways to set up your domain’s SPF record, depending on your organization’s needs and priorities. When in doubt, reach out to someone who specializes in DNS if you need assistance.

  1. Log in to your DNS provider’s website or app.
  2. Look at your existing TXT records. Do you see one that contains v=spf1?
    1. Yes: Edit the existing TXT record and add include:_spf.e2ma.net immediately after v=spf1. Then proceed to step 5.
    2. No: Continue to the next step.
  3. Create a new TXT record and enter the following text, exactly as it appears. Refer to your DNS provider’s help documents if they do not allow the @ symbol.
    Name Value
    @ v=spf1 include:_spf.e2ma.net ~all
  4. Select the TTL value (300 seconds – 30 minutes).
  5. Save the record.

The ~all or -all at the end of your SPF record determines whether unauthorized emails should be soft-failed (accepted but flagged) or hard-failed (rejected). Both are acceptable, so be sure to follow your organization’s policy for either one.

This is the only SPF setup that we can provide support for. If you choose to set it up differently, that’s okay, but we won’t be able to help with any questions or troubleshooting for other methods. For anything related to SPF, your IT team or DNS specialist will be your go-to for assistance.

Validating SPF

After creating the SPF TXT record, allow at least 30 minutes for it to propagate. It may take as long as 24 hours to fully propagate. Once the record has propagated, you can verify that it’s correct by using an SPF record checker tool, like this one. To use this tool, navigate to this page. Under the Check a published SPF record heading, type your domain in the Domain name box and click on the Check button. If you see e2ma listed in the record, then you have already added us to your SPF record.

The return-path domain for all emails coming from our system is e2ma.net. This cannot be changed. SPF alignment is partially dependent on the return-path of the sender address, so even if you add us to your SPF record, the mailings that you send from your account will only partially pass SPF. DMARC only requires SPF alignment OR DKIM alignment in order to pass, not both. So as long as you have DKIM set up, your campaigns should still pass DMARC.

Frequently asked questions about SPF

For more frequently asked questions about SPF, check out this article.

I followed all of the instructions exactly, but I’m seeing an error when I try to check them! Did I do something wrong?

It can take up to 24 hours for DNS records to fully propagate, so there’s no need to panic if you don’t see the SPF record check tool update right away. Just give the record some time and then try again.

If you’re still seeing errors after 24 hours, there may be a small typo in your record. Try checking it for errant spaces or typos. Additionally, if you copied and pasted the record into your DNS, try typing it in manually instead. Alternately, you can paste it into a text editor, copy it again, and then paste it into your DNS. The goal is to strip any hidden formatting that might tag along when you enter or paste the record into your DNS, as this formatting can prevent our system from reading those records.

Finally, when it comes to SPF, if your SPF record is flattened or hidden from public lookups, it is expected for the error to remain visible.

I’ve added you to my SPF record, why are my campaigns still showing SPF failures?

It is expected for SPF to remain unaligned, even after you’ve added _spf.e2ma.net to your SPF record. This is because SPF is checked against an email’s return-path. By default, emails that come from our servers will always use our domain for the return-path, so when SPF is checked for a mailing, a portion of it won’t pass for your domain. At this time, it is not possible to update the return-path to a different domain.

This should not interfere with DMARC because DMARC checks require SPF or DKIM, not both. As long as you have DKIM set up, your mailings should pass DMARC.

The SPF status check tool is showing an error about the “maximum number of DNS lookups”, what does this mean?

If you see an error message that says something like Parsing the SPF record requires x/10 maximum DNS lookups, then you have most likely added our sending domain to your SPF record correctly. However, SPF records typically have a maximum of 10 “lookups” and your record has exceeded this limit. Resolving this error is not within our scope, so you’ll need to reach out to your IT team or DNS specialist for assistance.

I don’t have an IT team and I don’t know how to do any of this. Where do I even put this record?

We understand that authenticating your domain can feel overwhelming, especially for someone who may not have a lot of experience with these topics. Our goal is to make this process as smooth as possible for everyone, so we’ve collected several resources that will hopefully help you feel a little more confident.

As far as the DNS records are concerned, you or whoever manages your domain should be able to log in to the registrar that hosts your domain to create the required records. Every DNS provider looks a little different, so if you have specific questions about where to click or what to do, your registrar’s help documentation will be your best bet for guidance.

We’ve collected a list of some popular domain providers and their instructions for how to edit DNS records. Just click on the link that corresponds to your domain provider; if you don’t see yours listed here, try visiting your provider’s website and searching their help documents, or contact their Support team.

Additional resources