We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →

How To Create a SPF Record For Your Domain with Google Apps

Posted Jul 12, 2013 79.1k views Email DNS Security

About SPF Record

An SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain. It is as easy to adding as MX or A records in your DNS zone.

Why It Is Important?

Today, nearly all abusive e-mail messages carry fake sender addresses. Spammers send email from their mail servers but with your ‘domain’ as the sending email. The victims whose addresses are being abused often suffer from the consequences, because their reputation gets diminished and they have to disclaim liability for the abuse or waste their time sorting out misdirected bounce messages.

The purpose of an SPF record is to prevent spammers from sending messages with forged ‘From Addresses’ at your domain. Recipients can refer to the SPF record to determine whether a message purporting to be from your domain comes from an authorized mail server.

Setting SPF Record

Before creating the SPF record for your domain, it is important to find out which server your domain is going to send emails. Perhaps you are planning to send email using Google Apps or from your own VPS. Consider all the mail server options available.

We will implement this with Google Apps for this tutorial. Here are the following instructions:

Login to your DigitalOcean account. Then open Networking and locate the DNS configuration. Open the desired domain configuration. Now, add a TXT type record.

DigitalOcean TXT Record

Write @ at the Enter Name and at the Enter Text, add the following:

”v=spf1 include:_spf.google.com ~all”

Let's explore this little more:

  • v=spf1 This sets the SPF version being used.
  • mx The "mx" mechanism allows the domain's MXers to send mail
  • include:_spf.google.com The "include" mechanism includes Google mail servers in our list of authorized sending servers
  • ~all If mail is received from a server not previously listed, mark it as a 'soft fail' - this allows the mail to be scrutinized further.

At this point, your DNS configuration should look like this:

DigitalOcean DNS Records

The "all" Mechanism

This mechanism always matches. It usually goes at the end of the SPF record.

Examples uses:

  • "-all" : This means that any server not previously listed is not authorized - no questions asked.
  • "+all" : The domain owner thinks that SPF is useless and/or doesn't care.

Create SPF Record for Your VPS

If you are using your own VPS to send email and not any other service like Google Apps, then you can create this as:

"v=spf1 mx -all"

This will allow domain's MXes to send mail for the domain while prohibiting all others. Alternatively, you can input:

"v=spf1 -all"

This command prevents all host from sending mail.

Thats all, You have done it.

To understand it deeply can explore OpenSPF.

Article Submitted by: Keshav Pareek


Creative Commons License