Secure your domain with SPF

This guide is created to support schools understand their SPF record. We recommend schools create their SPF record with an IT professional.

If you have any queries relating to this guide, contact Digital.services@education.govt.nz.

What is SPF (Sender Policy Framework) 

SPF is an email authentication standard that domain owners use to specify the email servers they send email from, so receivers know the email is from a legitimate source. It tells recipients ‘my emails should only come from these (listed) IP addresses’.    

Checking your SPF record

There are several free online services that can check if you have an SPF record and if there are any obvious issues with it. 

SPF Check & SPF Lookup - Sender Policy Framework (SPF) - MxToolBox(external link) 

Enter your domain (eg cyber.school.nz) and ignore the IP field. 

If you have an SPF record, we recommend checking there are no errors and that the services listed are the ones you use. 

If you don’t have one yet, we recommend contacting your IT support provider for help. 

Before making SPF changes

Please note: this information is for kura or schools without an IT support provider. If you have an IT support provider, contact them to set up the Sender Policy Framework (SPF) for your kura or school. Your IT provider will best understand which products you’re using that may need to be included. 

Alternatively, Liverton Security can also help kura and schools to make SPF changes to your domain. They will help you to move to the SchoolDNS service at the same time. You will need to know what services send email on your behalf.  

Contact Liverton by:

Email: livedns@livertonsecurity.com 

Phone: 0800 536 7999(external link)  

Setting up an SPF record for your domain

To enhance your kura or school’s email communication security and to protect your school’s domain from potential email fraud or spoofing, it is important to ensure that your Sender Policy Framework (SPF) is set up correctly.

Google has some useful guides for how to create an SPF record.

Define your SPF record – Basic setup(external link)

Define your SPF record – Advanced setup(external link)

Create an SPF record for your kura or school 

Before you can create an SPF record, you need to identify the services your kura or school use that sends mail on your behalf. 

Note: this is only services that use your domain name to send emails, for example: @nameofyourschool.school.nz. If the service sends emails using their domain, such as nameofyourschool@theirservice.co.nz they are the ones who need to set up the SPF record. 

1. Understand what needs to be included in the SPF record 

To understand what needs to be included in the SPF record, you need to identify which services are sending emails on your behalf. 

  • What is your main service for sending emails? This is usually Google Workspace or Microsoft Exchange.  
  • Are there any other providers or services your school uses to send emails? 
    • Newsletter or communication tools often do, such as MailChimp or Create Send
    • Some student management services (SMS) send emails on schools’ behalf. Examples are KAMAR, Hero, or FACTS. 

It’s important to list all of the services your school is using. 

2. Create the SPF record for your school 

  1. All SPF records start with:

v=spf1 

  1. Add the following:

A. If you use Google Workspace for your emails:

include:_spf.google.com

B. If you use Microsoft Online for your emails:

include:spf.protection.outlook.com

  1. If you use any other services that send emails, add them in:

include:_spf.otherservice.co.nz 

  1. Finish the code using the following:

A. If you’re not sure you’ve listed all the services:

~all

B. if you’re confident you’ve listed all the services that send email on your behalf:

-all

Below are the details of ‘include’ statements for commonly used services in kura and school.  

List of SPF 'include statements' for potential email services school use

List of SPF ‘include statements’ for potential email services schools use [DOCX, 15 KB]

It is important to note that:

  • The above table is a list for some common systems used in schools and is not extensive. To maximise security protections, you will need to add additional SPF records for all other third party systems that your school uses to send email.  
  • For strong security protection – only copy and paste SPF records for the systems your school uses.
  • If a service you use is not listed in the above table, you may be able to find it listed on the provider’s support webpage – which should include information on SPF records. Alternatively, contact that provider to ask them for their SPF record, to enable their service to send email on behalf of your kura or school’s domain.  

3. Add the SPF record to your DNS records 

  • Log into your school’s domain name system (DNS) account. If you’re unsure who is your domain name provider, you can find out on the Domain Name Commission website: WHOIS Domain Lookup - Domain Name Commission NZ 
  • Find the TXT entries that relate to SPF (these start with v=spf1). There needs to be only one entry as multiple v=spf1 statements gives an invalid record.  
  • Paste your SPF record in and save. 
  • If you have issues with this step, contact Liverton Security. They will help get you onto the Ministry’s SchoolDNS service and can set your SPF record for you. 

Contact Liverton by:

Email: livedns@livertonsecurity.com

Phone: 0800 536 7999(external link)

Last reviewed: Has this been useful? Give us your feedback