Feb 25

Setting Up SPF DNS Records

SPF (Sender Policy Framework) is an internet standard to address SPAM by ensuring that emails are sent by only the valid senders from valid servers, so spammers cannot send fake emails for your domain (unless they have compromised your server or the DNS servers).

The way SPF accomplish that is by adding special records into your domain’s DNS entry, so mail servers, when receiving emails from your domain, can lookup the DNS entry to determine whether the email was sent from authorized servers.

Basic SPF DNS record syntax:

<your.domain.here.> IN TXT "v=spf1 [def] ..."

Each of the [def] defines which servers are (or not) allowed to send emails for the particular domain.   The [def]s are matched in succession, so for any servers that do not match a particular def, the subsequent defs will be applied.

Let’s say the domain in question is mydomain.com.

For example, if any server can send emails for mydomain.com, then the SPF record will look like:

mydomain.com. IN TXT "v=spf1 +all"

The + (plus) sign is a modifier that means “pass”, and all means any server.  + is the default modifier, which can be omitted, and the above SPF record will become:

mydomain.com. IN TXT "v=spf1 all"

Other available modifiers are:

  • - (minus) – this means “fail”, i.e. we do not allow the following servers to send email for the domain
  • ~ (tilda) – this means “soft fail“, i.e. the servers in question can send the emails for the domain, but will trigger “error” response for the recipient
  • ? (question) – this means “neutral”

So if we do not want the domain to send email, we will use – with all, as follows:

mydomain.com. IN TXT "v=spf1 -all"

Besides all, which means any servers, the following types of servers can also be used as part of the definition:

  • a – this maps to the Address records in the DNS records
  • mx – this maps to the Mail eXchange records in the DNS records
  • ptr – this maps to the PTR records in the DNS records

So if we want the actual server(s) mapped by the domain, plus the mail servers for the domain, to be able to send emails for the domain, but deny any other servers, we write the following:

mydomain.com. IN TXT "v=spf1 +a +mx -all"

Or with the + being implicit:

mydomain.com. IN TXT "v=spf1 a mx -all"

The Pro DNS Bind book contains more details on how to specify SPF records.

Openspf.org has a Wizard for generating SPF DNS records.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

To use reCAPTCHA you must get an API key from https://www.google.com/recaptcha/admin/create