Home

Share via:

DNS SPF Records

How to use SPF records to increase the likelihood that your e-mails will be received and not go to spam.

81 views

Edited: 2020-06-03 06:04

SPF records.

A SPF record (Sender Policy Framework) is a DNS record of type TXT that is used to approve servers (IP addresses and HOST names) to send e-mail on behalf of a domain. While this will help to prevent some e-mail spoofing, there is no guarantee that a given e-mail server will use the standard; the largest e-mail providers will probably be using it though.

To create a SPF record, we begin with v=spf1, this part indicates the version of the SPF standard. This is then followed by the IPs and/or host names of the server'(s) that we want to approve. The -all at the end means that e-mail coming from other servers than the ones specifically listed should be rejected—note the minus sign "-".

Note. There is no meaningful difference between -all and ~all; you might see examples online using both "~" and "-".

The first thing you need is the IP address of your SMTP server; including the IP in a SPF record will decrease the likelihood that your messages are rejected as spam by gmail and others. An SPF record tells receiving e-mail servers that a given server (IP address or host name) is authorized to send e-mail on behalf of your domain name:

v=spf1 ip4:10.0.0.1 -all

Assuming you own example.com, the above is all that is needed to send e-mail from the 10.0.0.1 server, on behalf of user@example.com; but, if you want to also allow other domain names to send e-mail through your server, you must also modify the DNS records of those other domains. You can not approve your server unless you got access to changing their DNS records.

The SPF syntax

If you got access to the DNS records of a domain, you can also "import" a SPF record of another domain with this syntax: _spf.example.com—just beware that this will cause extra DNS lockups.

If the SMTP server is hosted on the same IP as the main domain, you can also use +a, since this will point at / approve the a record for sending e-mail.

The plus "+" and minus "-" signs indicates whether e-mails coming from a server should be allowed or rejected. These signs should be added in front of the rules. I.e.: +include:smtp.example.com.

Instead of adding an IP address, you can also add the domain (host) of the e-mail server, this is done by adding an include rule to your SPF record:

v=spf1 ip4:x.x.x.x include:smtp.example.com -all

This example will both allow an IP address, and the smtp.example.com host to send e-mail on behalf of the domain.

Note. It is recommended to avoid the use of HOST names (include), and instead use IP addresses, since host names can cause a substantial amount of DNS lockups.

Multiple statements can also be added. For example, if you have more than one IP address that sends e-mail on behalf of your domain, you would list them like this:

v=spf1 ip4:10.0.0.1 ip4:10.0.0.2 -all

Of course, those IP's are just examples. You need to add the WAN of the SMTP server.

And likewise, the syntax for multiple domains:

v=spf1 ip4:x.x.x.x include:smtp.example.com include:send.example.com -all

It may take a couple of days for DNS changes to take effect and propagate to Google's servers. Even if your DNS record has updated, it might not have propagated to all servers yet; so be very patient when experimenting with DNS records.

Problems reaching gmail

Normally I just need to send e-mail from my own domain name, but I recently had to allow another domain to send e-mail using my SMTP server. I thought I had nailed those SPF records, but apparently I had not, and hence my e-mails would get returned when I tried sending e-mails to gmail accounts.

Gmail would inform me that the IP address had been "rate limited" for low reputation, or simply that my e-mail had been rejected. Since I have not been sending any e-mails for a while, I figured the problem could not be caused by spamming.

Here is an example of one of those messages:

...host gmail-smtp-in.l.google.com[173.194.175.27] said: 550-5.7.26 This message does not have authentication information or fails to 550-5.7.26 pass authentication checks. To best protect our users from spam, the 550-5.7.26 message has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information...

And another one:

Our system has detected that this message is 421-4.7.0 suspicious due to the very low reputation of the sending IP address. 421-4.7.0 To protect our users from spam, mail sent from your IP address has 421-4.7.0 been temporarily rate limited. Please visit 421 4.7.0 https://support.google.com/mail/answer/188131 for more information.

Useful resources

These other resources may help you better understand about SPF records.

  1. SMTP error reference - google.com
  2. Help prevent email spoofing with SPF records - google.com

Comments