An SPF (Sender Policy Framework) record is a list of servers that are allowed to send e-mail from your domain. This reduces spam activity that may be perceived to originate from your domain, which is known as source address spoofing.
If you have ever received a sudden influx in bounced e-mail that appears to have originated from one of your domains your first thought might be “Oh no! Something on my server is sending spam!” While this is sometimes the case there is a large chance that what you are seeing is known as “backscatter”; a product of some other server sending spam and using source address spoofing to make the messages appear to originate from your domain.
SPF records are one of several options available for limiting the amount of backscatter you receive. When a server attempts to send spam using your domain name other servers that are receiving the messages may check your domain name to see if it has a SPF record. If a SPF record is present in your domain’s DNS zone file the server will then check to see if the mail originated from a server or IP that is listed in the SPF record. If the mail came from a SPF-listed source then the message is processed normally. If the mail did not originate from a server in the SPF list then the message is instantly rejected per the receiving server’s policies.
Example SPF Record
Example 1: A One-Server Environment
If your server is running both your web site and your e-mail your SPF record can be as simple as:
domain.com. IN TXT "v=spf1 a mx ~all"
So what is this saying? Remember, SPF records are really just a simple list of “approved” sources, servers that are allowed to send e-mail from your domain.
Breaking the SPF record down:
- domain.com – The domain that the SPF record applies to
- IN TXT – The DNS zone record type. SPF records are written as TXT record types.
- v=spf1 – Identifies the TXT record as an SPF record.
- a – Lists the domain’s primary A record as approved to send e-mail.
- mx – Lists the domain’s MX record(s) as approved to send e-mail.
- ~all – Signifies that this list is all inclusive, and no other servers are allowed to send e-mail per the SPF.
Example 2: Adding More Servers
If you use any third-party service or different physical server to handle your domain’s e-mail then you are likely using a modifed MX record to point your e-mail at that other server. Because the other server handles your e-mail, and may be used to send e-mail as well, you will need to list it in your domain’s SPF record.
Remember, an SPF record lists what servers are approved to send e-mail from your domain. If you do not list other sources of e-mail your messages may not be delivered because they came from a source that is not in the list.
A common scenario is when an e-mail user is forced to send all e-mail using their ISP’s SMTP server because their ISP blocks traffic to any other SMTP server. In this case you need to list your ISP’s smtp server as an include statement. A similar example a domain that uses Google Apps to handle all e-mail activity. When using Google Apps it is a good idea to list google.com in your SPF record as an include statement so that all outbound e-mail is delivered successfully.
domain.com. IN TXT "v=spf1 a mx include:google.com ~all"
The include statement tells other servers to include all relevant SMTP and MX information for google.com in your SPF list.
Openspf.org maintains an easy to use SPF wizard that will ask you several questions regarding your domain and will help you setup a complete SPF record including other sources of e-mail. If you have any questions regarding your current setup please contact us anytime using the Support information below.
Adding Your SPF Record
Now that you have your SPF record ready to go it needs to be added to your domain’s existing DNS records. Run a WHOIS command on your domain name and double check the nameservers it is using. If your server is also acting as the nameservers you can add the SPF record to your domain’s DNS using the tools built in your web server control panel.
If your domain’s DNS is being handled by nameservers that you do not have direct access to, such as your domain registrar or XWeb’s nameservers, then you will need to contact the responsible party and have them assist you with updating your DNS.