User's Guide to SPF
Posted by Dustin P, Last modified by David Suker on 22 November 2019 03:48 PM
Sender Policy Framework (SPF) is an email validation system designed to prevent spam by detecting email spoofing, similarly to how DKIM authenticates email. However, SPF is a much more involved system and involves much more user input to ensure proper functionality. The key to configuring SPF is knowing who should send mail on your behalf. If, for example, you use external email services for newsletters, mailing lists, shopping carts (that send email on your behalf), or host your email elsewhere, SPF will need configured beyond the default settings.
Odds are 3rd party services you use will provide you with "includes" and ipv4/ipv6 settings to add to our SPF settings. You can use the instructions below to make adjustments to your SPF, just note that SPF will absolutely destroy your mail deliverability if misconfigured. Do not hesitate to reach out to us if you have any questions whatsoever.
Once you have reached the Authentication page of your cPanel for the desired domain, there are a few things to note. Primarily, you will be able to add domains to your specified "authentic" SPF domain list. By default, this list has only "spf.fused.com," but you may add as many additional domains as you'd like in order to send authenticated mail through these domains. In addition, this section will also allow you to add "A" and "MX" records as needed, along with additional IP Address blocks for your domain.
By default, your SPF record should end in "~all" by default. The "all" means that you are setting the way for the server to deal with all mail not sent from a domain specified in the "+include" section mentioned before. The "~" represents a soft fail default, as opposed to a hard fail.
A "soft fail" means that all mail servers not listed in the SPF record are not authorized to send mail using the sender’s domain, but the owner of the domain is unwilling to make a strong assertion to that effect.
On the contrary, a "hard fail" means that all mail servers not listed in the SPF record are explicitly not authorized to send mail using the sender’s domain.
There are two checkboxes at the bottom of this page. One of which is labeled "All Entry (ALL):". When checked, this box will enable hard fail as the default. It is recommended that this box remain unchecked unless you are certain of what you're doing.