SPF (Sender Policy Framework)

SPF (Sender Policy Framework) is an email authentication protocol that allows domain owners to declare which mail servers are authorized to send messages on behalf of their domain. It works by publishing a DNS TXT record containing a list of approved IP addresses, server hostnames, and include directives. When a receiving mail server gets an incoming message, it performs an SPF lookup on the sender's domain, compares the sending server's IP address against the SPF record, and decides whether to accept, flag, or reject the message based on the result. SPF is one of three core email authentication standards, alongside DKIM (cryptographic message signing) and DMARC (policy enforcement).

Without an SPF record, any server on the internet can claim to send email from your domain. Attackers exploit this through domain spoofing, a technique central to phishing campaigns, business email compromise, and spam distribution. A missing or misconfigured SPF record also hurts legitimate email deliverability: major providers like Gmail, Outlook, and Yahoo increasingly reject or quarantine messages from domains without proper authentication. For publishers distributing content via email — sharing flipbook links, sending lead capture notifications, or delivering OTP codes — SPF directly affects whether those messages reach the inbox or disappear into spam folders.

FlipLink sends several types of email on behalf of publishers: lead capture notification alerts, publication sharing links, OTP verification codes, and document approval requests. These emails are sent through FlipLink's verified infrastructure, which maintains its own SPF records to ensure deliverability. If you use a [custom domain](/features/custom-domains) for your FlipLink publications and want email communications to originate from or reference that domain, you need to add FlipLink's sending servers to your domain's SPF record. This tells recipient mail servers that FlipLink is authorized to send on your behalf, preventing those messages from being flagged as suspicious. The setup takes a few minutes in your DNS management panel and applies globally to all publications under that domain.

An SPF record is a single DNS TXT record attached to your domain. It uses a specific syntax to define authorization rules: - **`v=spf1`** — declares the SPF version (always version 1) - **`ip4:` / `ip6:`** — authorizes specific IP addresses or CIDR ranges - **`include:`** — references another domain's SPF record (commonly used for third-party senders) - **`a` / `mx`** — authorizes the IPs associated with your domain's A or MX records - **`~all`** (softfail) — marks unauthorized senders as suspicious but still delivers - **`-all`** (hardfail) — rejects mail from unauthorized senders outright SPF has a 10-lookup limit for DNS queries within a single record. Exceeding this limit causes the entire SPF check to fail, which is a common issue for domains that use many third-party email services. Each `include:` directive counts as one lookup, and nested includes count toward the total.

Follow these steps to configure SPF for your domain when using FlipLink: 1. **Identify your current SPF record** — Use a DNS lookup tool or your registrar's DNS panel to check if a TXT record starting with `v=spf1` already exists for your domain 2. **List all authorized senders** — Gather the SPF include values for every service that sends email from your domain (your email provider, marketing tools, and FlipLink) 3. **Add FlipLink's servers** — Append FlipLink's authorized sending server directive to your existing SPF record 4. **Set your enforcement level** — Use `~all` (softfail) initially to monitor without blocking, then switch to `-all` (hardfail) once you have confirmed all legitimate senders are included 5. **Check the lookup count** — Verify your record stays within the 10-lookup limit by using an SPF validation tool 6. **Test delivery** — Send a test email through FlipLink (trigger a lead capture or share a publication) and check the email headers for `spf=pass` 7. **Monitor regularly** — Review your SPF record whenever you add or remove an email-sending service from your domain

**"SPF alone is enough to protect my domain."** SPF only verifies the sending server's IP address — it does not verify the visible "From" address that recipients see. Full protection requires SPF combined with DKIM (which signs message content) and DMARC (which ties SPF and DKIM results to the visible sender address and defines a policy for failures). **"SPF applies to the address shown in the inbox."** SPF actually checks the "envelope from" address (also called the return-path), which is hidden from the recipient. The "From" header that users see in their email client is governed by DMARC alignment, not SPF alone. **"More include directives make my SPF record stronger."** Each `include:` adds to the 10-lookup limit. Over-including can actually break your SPF record entirely, causing all checks to return a permanent error. Only include services that actively send email from your domain. **"I set up SPF once and never need to touch it again."** SPF records require maintenance. Adding a new email marketing tool, switching CRM providers, or onboarding a service like FlipLink all require updating the record. Stale entries for decommissioned services waste lookup slots and can create security gaps.