SPF vs. TXT - Record

Hi there,

I am going to setup an domain with an external DNS (CloudFlare). CloudFlare can add TXT and SPF-Records. Should I type the SPF-Stuff of my MiaB into an TXT Reocrd or an SPF-Record? The External DNS Config Pages tells me to use TXT, but I think SPF would make more sense?


I don’t know what they mean by an SPF record if it’s not the same as a TXT record. That’s not really a thing.

There isn’t an SPF TYPE record in DNS. You add SPF in a TXT Type.

Here are the DNS Record Types:

99.999% of usage is:
A Record is for ipv4
AAAA record is for ipv6

According to the following i think that SPF-Records exists:

http://mxtoolbox.com/SuperTool.aspx (They list SPF-Records)
http://mxtoolbox.com/spf.aspx (Description of SPF-Recrods)
https://support.cloudflare.com/hc/en-us/articles/200168626-How-do-I-add-a-SPF-record- (They tell you something about SPF-Records)

From the RFC7208:

 The SPF record is expressed as a single string of text found in the RDATA
 of a single DNS TXT resource record [...]

So yes, a SPF record is really just a TXT record that starts with “v=spf1”.

So some providers might refer to TXT-records which follow the SPF syntax as “SPF records”, but technically speaking, they are TXT-records (whose value follows the SPF syntax).

As to cloudflare, I would guess that adding a TXT record of “v=spf1 -all” has the same result as adding a SPF-record of “-all”?

It’s interesting, because google domains allows a specific ‘spf’ record, and if you turn on their “auto config for using their email” (e.g. google apps for work or whatever) it makes both an ‘spf’ and ‘txt’ SPF record.

@usachris Interesting indeed. But I think that this might just be a front-end thing only.

Just to quote the RFC one more time:

SPF records MUST be published as a DNS TXT (type 16) Resource Record
(RR) [RFC1035] only.

I think I found it… seems that rr type 99 (SPF) is obsolete, was in use 7+ years ago, but maybe google and others keep it around for compatibility, I don’t know. Most other DNS providers don’t give the option.

From: https://tools.ietf.org/html/draft-ietf-spfbis-4408bis-15#section-13.1
"Studies have shown that RRTYPE 99 has not seen any substantial use, and in fact its existence and mechanism defined in [RFC4408] has led to some interoperability issues. Accordingly, its use is now obsolete, and new implementations are not to use it."

wow the more I look into it, the more confusing it is, so I guess some spf3 will use spf type 99 (using spf vs txt) — but not to confuse anyone reading this, including the OP, leave it all alone and leave it at v=spf1 and use txt or both if your DNS provider recommends both.

From: http://www.openspf.org/Community/SPFv3-SPF-RR-exclusive

Sender Policy Framework

SPFv3 will use exclusively the SPF RR (type 99).


RFC 4408 used the TXT RR because the newer record type was not widely available. After several years, most DNS software as been modified introducing the SPF type. The current threats and the status of DNSSEC (or DNS over SCTP) prefigure that updated versions of the software will have been installed on most hosts by the time the new RFC will be published.

Backward compatibility

It is RECOMMENDED that a backward compatible TXT RR starting with v=spf1 be maintained until some SPF checks will be carried out by old software. (Users can check their DNS logs, looking for TXT requests after sending.)

Old rfc4408-software should discard new SPF RRs starting with v=spf3 according to step 1 of section 4.5, and then proceed with v=spf1 RRs, probably but not necessarily of type TXT, if any. New software SHOULD look up TXT RRs if it finds no SPF RR, and MAY accept v=spf1 for backward compatibility. Admins MUST NOT create RRs of type TXT that start with v=spf3.

@usachris thanks for digging this up, very illuminating.

Looks like even CloudFlare says not to use an “SPF” record, per @aspdye’s link.

Always use a TXT record (as the box says :slight_smile: ).

Exactly why MIAB is so awesome, people don’t even have to worry about all this mess! Thanks again Josh for such an awesome gift to the community!!

I have to agree with @usachris that @JoshData’s Mail-in-a-Box is a great gift for the community!

Quote CloudFlare:

Although most DNS providers (CloudFlare included) support the
dedicated SPF record types, some DNS clients may not support it yet and
look for the TXT record instead, so our recommendation is to set up both
a SPF record and a TXT record on your domain to ensure backwards

So what about that :smiley:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.