{"section":"tutorials","requestedLocale":"en","requestedSlug":"best-practices-on-spf","locale":"en","slug":"best-practices-on-spf","path":"docs/en/tutorials/infrastructure/cdn-service/best-practices-on-spf.md","branch":"main","content":"[Sender Policy Framework](http://www.open-spf.org/Introduction/) (SPF) is a system that prevents unauthorized servers from sending emails on behalf of a domain. This system verifies if the server follows the policies determined by the administrator of that domain. This configuration is essential to avoid deliverability issues for transactional emails.\n\nIf you are trying to improve the deliverability rate of transactional emails in your store, consider [setting up DKIM](https://developers.vtex.com/docs/guides/setting-up-dkim-for-transactional-emails) as well.\n\n## Understanding syntax\n\nFor syntax details, we recommend that you read the documentation [Sender Policy Framework SPF Record Syntax](http://www.open-spf.org/SPF_Record_Syntax/).\n\nIn the DNS manager, the SPF will be a TXT entry in the domain root (ex.: site.com) with the following format:\n\n`site.com. IN TXT “v=spf1 a mx ip4:192.0.2.32/27 include:provedor.com ~all”`\n\nWe can divide the policy above into the following sections:\n\n- `v=spf1`: required prefix.\n- `a mx ip4:192.0.2.32/27 include:provedor.com`: authorized senders.\n- `~all`: condition for including or excluding senders except the ones previously declared.\n\nWhen applied for authorized senders, the above rules mean a server can send messages on behalf of the given domain (site.com) if:\n\n- `a`: its IP address is found in the domain's type A entry.\n- `mx`: it is designated as the domain’s MX record.\n- `ip4`: it belongs to the `192.0.2.32/27` IP address block.\n- `include`: it satisfies the SPF rules in the referenced domain (provider.com).\n\nThe inclusion or exclusion condition can have the following values:\n\n- `+all`: any sender will be authorized.\n- `-all`: any sender (except the declared ones) will be rejected.\n- `~all`: another verification step will be required to reject unauthorized senders. (Recommended)\n- `?all`: the verification of unauthorized senders will be disregarded.\n\nWe recommend using `~all`, which has a better deliverability rate. If there is an unauthorized sender, this option does not stop the sending of the email, but informs that the SPF validation failed.\n\n## SPF in the VTEX context\nVTEX uses the `include:amazonses.com` SPF. This is Amazon's transactional email sending service, used in the default sender (VTEX type) of Message Center.\n\nSee our article [Setting up the SPF](https://developers.vtex.com/vtex-rest-api/docs/setting-up-the-spf) for more details."}