This information is critical if you are using your own (sub)domain to send emails from CustomerGauge. Please see steps 3 and 6 in the linked article. 


What is SPF?


Sender Policy Framework (SPF) is an email validation system designed to prevent spam by detecting email spoofing. 


When an email gets delivered, the receiving server needs to validate that the email is genuine, and one of the techniques is to check that the IP the email was sent from really belongs to the sending (sub)domain or one of its authorized partners. The process starts by the mail server calling the DNS server of the sending (sub)domain and asking for its SPF record which is basically a list of all authorized sending IPs. 


The SPF record is usually a hierarchy and can't all be fetched in a single call. So the mail server has to look at each 'piece' of the initial SPF record and then make another DNS call for each child record until it has finally visited all the 'leaves' in which the valid IP addresses are recorded. You can hence see why the 10 record SPF limit is strictly enforced - that's the max number of DNS calls the server can be expected to make whilst walking the tree. Otherwise mail servers would be incredibly inefficient and could be DDoS attacked by simply sending them mails with large SPF trees.


More information on SPF can be found here.



Why do I need to add an SPF record for CustomerGauge/SES?


Adding an SPF is necessary if you are sending emails through CustomerGauge from your own subdomain. Doing so will let the recipient of your emails know that we are authorized to send email on your behalf, as described in the section above. If you don't set up the SPF, you risk a higher percentage of your emails being bounced/rejected by the recipients.


The SPF should be at the subdomain level and needs to be at the subdomain level since that is where we are sending from.   Using sub-domains avoids the 'My SPF is full' problem (10 record limit), and allows companies to defend their email reputation better by ringfencing their senders.


What should I do if I've hit the 10-record SPF limit?


CustomerGauge requires sending from a subdomain if you'd like to send from your own email domain. For example, instead of sending from "client-experience@simpleways.com", you would send from "client-experience@feedback.simpleways.com". This is generally a good practice even if you haven't hit your 10-record limit yet, as it means that this particular subdomain would be reserved and used specifically for your CustomerGauge use case. It also means that you are unlikely to hit your limit since you will probably be setting up this subdomain specifically for the CustomerGauge use case.


The SPF record should be declared at the exact same level from which we are sending. I.e. specific sub-domain. In general, sending from the sub-domain level is preferable, as we are effectively breaking up the SPF tree into separate, smaller branches, meaning we avoid the limit and allow our emails to be validated faster by the receiving server.

 

It also makes sense to use sub-domain from a business perspective. Generally speaking, you'd want to keep the top level domain reserved for corporate use. A large organization might have dozens of departments that all send out different types of email using different technology partners. If these partners are all registered on top level domain then one rogue (or compromised) partner could start sending on behalf of all departments of that organization, including the top level domain. So best practice is to put a department/partner on a specific subdomain and keep the top level as free as possible. And if that sender was compromised it can't send on behalf of any other sub-domain or TLD.


Helpful resource: You can check SPF records configured for any domain (including your own) on this free public site.