SPF (Sender Policy Framework) is crucial for ensuring email security and preventing unauthorized email spoofing. When you set up a Sending Domain with ActiveCampaign this process includes setting up a Mailserver Domain where you point your domain to us via a CNAME record. This allows ActiveCampaign to serve the necessary SPF record for you. As long as you have set up the Mailserver Domain, SPF will be fully covered with ActiveCampaign.
To learn more about the terminology used in this article, please visit the Deliverability Terminology page.
Take note
ActiveCampaign does not require you to set up SPF. This is set up for you when you set up a Sending Domain.
What is SPF?
SPF is like a security guard for emails. It allows you (the sender) to publish a public record that lists what IPs (Internet Protocols) can send from your domain. The public record is created in the public DNS (Domain Name System) as a TXT (text) record for a domain. When a Mailbox Provider (MBP) like Gmail receives a message using this domain, it can look at your public DNS record to see if the IP is permitted to send the campaign.
In simple terms, SPF acts as a gatekeeper, ensuring only legitimate emails get through, keeping you and your subscribers safe from phishing scams.
What does a SPF record look like?
A typical SPF record looks like:
v=spf1 ip4:173.236.20.250 include:_spf.google.com ~all
- `v=spf1`This tells us it’s an SPF record, version 1. Currently, there is only one version, so you can assume this will be at the beginning of all SPF records
- `ip4:173.236.20.250` This says that the IP address 173.236.20.250 is allowed to send emails with this domain
- `include:_spf.google.com` This says that any of the IPs defined in Google’s included SPF record should be allowed to send emals with this domain. This is a common practice for using your domain with any email service. The SPF record will need to allow this email provider to send emails with your domain from their IPs
- `~all` This is a “qualifier” that tells MBPs like Gmail what to do with the IPs not specified in the rest of the SPF record (“all” can be read as “all the remaining IPs”). This helps the owner of a domain control how strictly emails should be rejected if they are sent from an IP address not in the SPF record.
This qualifier can be:
– “+” which means “pass” (= accept them as allowed sources)
– “-” which means fail (= consider them as not allowed)
– “~” which means “SoftFail” (= accept them but mark them as not allowed)
– “?” which means “neutral” (= don’t take a stance). This is not recommended because it’s the least secure qualifier
How is SPF checked?
The SPF is checked by the Return-Path domain (aka “Mail From,” “Envelope From,” “5321.MailFrom”), not your “From” address domain. (At ActiveCampaign, we refer to the Return-Path domain as the Mailserver Domain. We will use Mailserver Domain throughout the rest of this article to mean Return-Path Domain.)
The Mailserver Domain is a hidden header that indicates where the email came from and tells the system where to send bounce notifications.
As an example, you will see this SPF/Mailserver Domain in Gmail as the “mailed-by” here in Gmail:
If you inspect the headers in Gmail you will see this same SPF/Mailserver Domain is checked for SPF.
spf=pass (google.com: domain of bounce-4303-42198-5997648-acaburchtest4+testbad=gmail.com@out.activecampaign.com designates 52.128.41.226 as permitted sender)
You can see that out.activecampaign.com is being checked for SPF and declared a “permitted sender”, but the domain in the From Address activecampaign.com is not checked for SPF.
The Mailserver Domain is a subdomain of your primary domain. You cannot use your primary domain as your Mailserver Domain with ActiveCampaign.
When you set up a Sending Domain in ActiveCampaign, you create a CNAME (or Canonical Name) for the Mailserver Domain that points to ActiveCampaign:
The CNAME you set up here lets us use your domain in the emails you send. We serve the correct SPF record for your domain via the CNAME, allowing your ActiveCampaign emails to pass SPF with your domain. An additional benefit of this configuration is when a bounce occurs, the MBP may choose to send the bounce report to the Return-Path, but the CNAME record will route the email to ActiveCampaign.
Once we have it, we automatically process the bounce for you, keeping your lists clean.
By setting up a Mailserver Domain with ActiveCampaign, you have set up your domain to pass SPF with ActiveCampaign.
If you do not set up a Mailserver Domain, ActiveCampaign will use our domain for the Return-Path and, therefore, for SPF. Our domain will pass SPF because it will include all our IPs in its SPF record. However, it will not align with your From address domain, and you will see SPF failures in Google Postmaster tools because the domain is not aligned. To achieve Domain Alignment, you should set up a CNAME for a Mailserver Domain. Learn more about Domain Alignment.
What about SPF on my From address domain?
It is also possible to add an SPF record to your From Address domain. If you send from marketing@mydomain.com, the From Address domain is “mydomain.com”. This is the From that appears very visibly to all recipients of your emails:
You can also add an SPF record to this domain, but this is not the domain where a true SPF check occurs — the Mailserver Domain covers SPF. However, we have found that adding our IPs to your From Address domain SPF record can help with certain French, German, or Chinese MBPs who may also check this domain for SPF and sometimes can improve delivery to Microsoft/Outlook. Given this, we encourage ActiveCampaign users to add our IPs to your From Domain SPF record.
How to modify my SPF record for my From Domain (optional)
To do this you will need to edit the DNS records with your DNS provider (i.e. Godaddy).
If you don’t have an SPF record yet, you can add a new TXT record like this:
v=spf1 include:emsd1.com -all
If you already have an SPF record at your domain like this:
v=spf1 include:_spf.google.com -all
You can add our SPF records to it by adding “include:emsd1.com” to the middle of the SPF record. The new record would be:
v=spf1 include:_spf.google.com include:emsd1.com -all
After editing your SPF record you can use a tool like this to check that it is still valid.
Why can’t I use the same domain for my Return-Path and From address with one SPF record?
You might wonder why you set up SPF at your primary domain when you use a service like Gmail, Office, or another proper inbound email provider, but with an Email Marketing Service Provider (ESP) like ActiveCampaign, you have to set up a CNAME at a subdomain that is different from your primary From address domain.
The reason you must set up separate SPF records is that, with Gmail, Office, or another proper inbound email provider, they will receive all messages for your primary domain to populate in your inbox. This allows Gmail to use the same domain in the From Address and Return-Path for SPF. However, ActiveCampaign doesn’t receive messages for your primary domain. Therefore, we must use a separate domain in the From Address and Return-Path to ensure that replies get sent to your primary email provider (Gmail or Office), but bounces get sent to us for automatic processing.
Additional Resources
Our friends at Postmark have some great articles explaining SPF from their standpoint as a transactional ESP: