Home / server / Questions / 170106
Accepted
Torben Gundtofte-Bruun
Asked: 2010-08-12 04:01:04 +0800 CST

Do I need SPF, and how do I set it up?

  • 772

I've read that SPF is a way to ensure that spam sent in my name is evidently fake, and I'd like to use that. How do I set up SPF? Or is it already in effect? I have two domains hosted on Dreamhost.com, and I use Google Apps to read mail on both domains (separately).

I have used this tool to check if SPF is present for my domains. One domain has SPF, one doesn't.

But it gets more complicated than that:

A) The domain with SPF uses Dreamhost as MX. Mail accounts on this domain are set up to forward to specific Google Apps accounts.

  • Is my SPF ignored when sending mail from Google Apps?

B) The domain without SPF uses Google as MX. I want to add SPF to this domain.

  • Can I add SPF under this domain's DNS records, or should this be done at Google (outside my control)?

C) Further, the users are in several countries using several ISP's. Some don't use the Gmail web interface but rather a mail client (Thunderbird, Outlook). So it's really difficult to say which IP addresses are "ours". This goes for both domains.

  • What IP addresses can/should/must I (not?) specify in my SPF records?
domain-name-system spf mx-record

4 Answers

  1. First, SPF is just a DNS record for your domain, that specifics which servers can send e-mail for your domain. If a receiving e-mail server also supports SPF it will check this record and follow the actions you set in your record.

    The most common effect is that less people can send spam where the spam claims to be from you. Sometimes mail servers are configured so that they will not accept e-mail unless the sending domain has an SPF record; but this is rare.

    In all cases the choice to use an SPF record lies ultimately in the receiving server.

    If you use Google Apps to send e-mail you can create a SPF record for your domain like this:

    TXT "v=spf1 include:_spf.google.com -all"

    You have to contact whoever hosts the DNS for your domain, and tell them you want to add that record. Many hosting providers have an easy to configure tool for setting this up; if not call the; they'll know what you're talking about.

    • 4

  2. To give Google permission to send email on your behalf add the following to your spf txt record.

    include:_spf.google.com

    Also with issue C, don't use the ISPs smtp servers. Set up each client to relay through Google's mail servers the details on how to do that can be found here.

    • 2
  3. Best Answer

    SPF doesn't care about clients, it is about the question "which server is allowed to send mails coming from my domain?"

    Assuming you own the domain example.org:

    • A) It's not important where you send your mails from. It's important that your mailserver has SPF records that match your mailserver.
    • B) Google.
    • C) It's typical to trust the A and MX record resolving to that domain, so: v=spf1 a mx -all
    • 1

  4. You add a TXT record to your DNS zone file. eg.

    IN      1H      TXT     "v=spf1 ip4:<sendingSmtpServerIpAddress> a mx -all"

    This will allow all MX servers defined for your zone to send "a mx" and also one that hasn't got an MX record using "ip4:".

    Of course you can remove elements you don't need and cater the record for your implementation.

    • 1