DNS SPF Records

How to use SPF records to increase the likelihood that your e-mails will be received and not go to spam.

796 views
d

By. Jacob

Edited: 2023-05-21 12:20

SPF records.

An SPF record (Sender Policy Framework) is a DNS record of type TXT that is used to approve servers (IP addresses and HOST names) to send e-mail on behalf of a domain. While this will help to prevent some e-mail spoofing, there is no guarantee that a given e-mail server will use the standard; the largest e-mail providers will probably be using it though.

To create a SPF record, we begin with v=spf1, this part indicates the version of the SPF standard. This is then followed by the IPs and/or host names of the server'(s) that we want to approve. The -all at the end means that e-mail coming from other servers than the ones specifically listed should be rejected—note the minus sign "-".

Note. ~all means that if a server was not authorized, e-mail originating from it should be placed in the spam folder. -all means that the e-mail should be rejected. You might see examples online using both "~" and "-". Using "-" is generally best.

The first thing you need is the IP address of your SMTP server; including the IP in a SPF record will decrease the likelihood that your messages are rejected as spam by gmail and others. An SPF record tells receiving e-mail servers that a given server (IP address or host name) is authorized to send e-mail on behalf of your domain name:

v=spf1 ip4:10.0.0.1 -all

Assuming you own example.com, the above is all that is needed to send e-mail from the 10.0.0.1 server, on behalf of [email protected]; but, if you want to also allow other domain names to send e-mail through your server, you must also modify the DNS records of those other domains. You can not approve your server unless you got access to changing their DNS records.

The SPF syntax

If you got access to the DNS records of a domain, you can also "import" a SPF record of another domain with this syntax: _spf.example.com—just beware that this will cause extra DNS lockups.

If the SMTP server is hosted on the same IP as the main domain, you can also use +a, since this will point at / approve the a record for sending e-mail.

The plus "+" and minus "-" signs indicates whether e-mails coming from a server should be allowed or rejected. These signs should be added in front of the rules. I.e.: +include:smtp.example.com.

Instead of adding an IP address, you can also add the domain (host) of the e-mail server, this is done by adding an include rule to your SPF record:

v=spf1 ip4:x.x.x.x include:smtp.example.com -all

This example will both allow an IP address, and the smtp.example.com host to send e-mail on behalf of the domain.

Note. It is recommended to avoid the use of HOST names (include), and instead use IP addresses, since host names can cause a substantial amount of DNS lockups.

Multiple statements can also be added. For example, if you have more than one IP address that sends e-mail on behalf of your domain, you would list them like this:

v=spf1 ip4:10.0.0.1 ip4:10.0.0.2 -all

Of course, those IP's are just examples. You need to add the WAN of the SMTP server.

And likewise, the syntax for multiple domains:

v=spf1 ip4:x.x.x.x include:smtp.example.com include:send.example.com -all

It may take a couple of days for DNS changes to take effect and propagate to Google's servers. Even if your DNS record has updated, it might not have propagated to all servers yet; so be very patient when experimenting with DNS records.

Useful resources

These other resources may help you better understand about SPF records.

  1. SMTP error reference - google.com
  2. Help prevent email spoofing with SPF records - google.com

Tell us what you think:

  1. How to block sender e-mail addresses and domains in Postfix to effectively eliminate marketing spam.
  2. Configure Postfix to check SPF records and fight e-mail spoofing.
  3. Rate limiting your postfix server to limit the amount of e-mail a single user can send.
  4. To add or update a PTR record for an AWS IP, you will need to contact Amazon through the: Request to remove email sending limitations form. Read more in this article.

More in: Mail Servers