Learning to perform SPF delegation for enhanced email delivery

The SPF delegation method is for domain owners who authorize an external email server to send emails on their behalf without having them fail the email authentication checks. This requires you to make some alterations to the existing SPF record.

What is SPF delegation?

SPF delegation is a one-time activity performed by a domain owner to give control of their existing SPF record to an external email server or third-party vendor who is officially allowed to send emails as one of the representatives of their organization. This whole effort ensures that genuine emails sent by authorized outsiders don’t get marked as spam or bounce back due to authentication issues.

SPF delegation doesn’t interfere with the working of DKIM and DMARC. In fact, sometimes, DKIM itself uses SPF delegation to let authorized third-party IP addresses be used to send emails. 

How is SPF delegation done?

To perform SPF delegation for an outsider, you have to mention their IP addresses in a TXT-format record at the start of your DNS zone file. This ensures their messages are treated as per the SPF softfail mechanism (represented by ~all) and not the SPF hardfail mechanism (represented by -all). 

Here are the steps to go about it-

1. Go to your DNS manager and choose the domain for which you have to do SPF delegation.
2. Make the following changes to your SPF record-

• • ‘a’ record: Enter 32 and 128 in the IPv4 and IPv6 CIDR columns, respectively.
  • ‘mx’ record: Add the mx record and mention 32 and 128 in the IPv4 and IPv6 CIDR columns, respectively.
  • ‘include’ statements: Add all the necessary ‘include’ statements and ensure only the specified values are mentioned.
  • IPv4 addresses: List all the IPv4 addresses. If the IPv4 entry specifies a range (e.g., /22), enter 22 in the CIDR column. However, enter 32 in the CIDR column if no range is mentioned.
  • IPv6 addresses: List all the IPv6 addresses. If the IPv6 entry specifies a range (e.g., /36), enter 36 in the CIDR column. However, enter 128 in the CIDR column if no range is mentioned.
  • Policy: Set the policy to either softfail (~all) or hardfail (-all). For beginners and domains with heavy email traffic, setting the SPF records to softfail is recommended.
  • Exchange SPF check: After completing the setup, click ‘Save’ and publish the record on DNS. A DNS entry will be generated at the bottom of the page, which you need to add to your domain’s DNS record.
  • Publishing and testing: After adding the DNS entry, your SPF record will be hosted and managed within the DNS manager. Use SPF testing tools to ensure it is configured correctly and that emails are appropriately authenticated.

Final words

Please ensure you stay within the character limit of 255 and lookup limit of 10; people often oversee these criteria, triggering SPF validation issues. 

SPF, DKIM, and DMARC complement each other and should be used as a set of three for maximum protection against phishing, spoofing, ransomware, etc. For optimal email security, our experts can help you get started with email authentication or fix the existing SPF, DKIM, and DMARC records.