Tutorial
How To use an SPF Record to Prevent Spoofing & Improve E-mail Reliability
Introduction
A carefully tailored SPF record will reduce the likelihood of your domain name getting fraudulently spoofed and keep your messages from getting flagged as spam before they reach your recipients. Email spoofing is the creation of email messages with a forged sender address; something that is simple to do because many mail servers do not perform authentication. Spam and phishing emails typically use such spoofing to mislead the recipient about the origin of the message. A number of measures to address spoofing, however, have developed over the years: SPF, Sender ID, DKIM, and DMARC. Sender Policy Framework (SPF) is an email validation system designed to prevent spam by detecting email spoofing. Today, nearly all abusive e-mail messages carry fake sender addresses. The victims whose addresses are being abused often suffer from the consequences, because their reputation gets diminished, they have to waste their time sorting out misdirected bounce messages, or (worse) their IP addresses get blacklisted.
The SPF is an open standard specifying a technical method to prevent sender-address forgery. SPF allows administrators to specify which hosts are allowed to send mail on behalf of a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use DNS records to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.
Benefits
Adding an SPF record to your DNS zone file is the best way to stop spammers from spoofing your domain. In addition, an SPF Record will reduce the number of legitimate e-mail messages that are flagged as spam or bounced back by your recipients' mail servers. The SPF record is not 100% effective, unfortunately, because not all mail providers check for it. Many do, however, so you should notice a significant decrease in the amount of bounce-backs you receive.
Example SPF Record
An SPF record is added to your domain's DNS zone file as a TXT record and it identifies authorized SMTP servers for your domain.
TXT @ "v=spf1 a include:_spf.google.com ~all"
If you are utilizing the DigitalOcean DNS Manager, make sure to wrap the SPF record with quotes. The following table provides an explanation of the various components of the Example SPF Record:
| Components | Description |
|---|---|
| TXT | The DNS zone record type; SPF records are written as TXT records |
| @ | In a DNS file, the "@" symbol is a placeholder used to represent "the current domain" |
| v=spf1 | Identifies the TXT record as an SPF record, utilizing SPF Version 1 |
| a | Authorizes the host(s) identified in the domain's A record(s) to send e-mail |
| include: | Authorizes mail to be sent on behalf of the domain from google.com |
| ~all | Denotes that this list is all inclusive, and no other servers are allowed to send e-mail |
Components of an SPF Record
An SPF record consists of the SPF version number followed by strings comprised of (i) mechanisms, (ii) qualifiers, and (sometimes) (iii) modifiers. SPF clients ignore TXT records that do not start with the version string "v=spf1 ...".
SPF records may define zero or more mechanisms. Mechanisms can be used to describe the set of hosts which are designated as authorized, outbound mailers for the domain. The following list are common mechanisms included in an SPF record:
all | ip4 | ip6 | a | mx | ptr | exists | include
Mechanisms can be prefixed with one of four qualifiers:
| Qualifier | Description |
|---|---|
| + | Pass = The address passed the test; accept the message. Example: "v=spf1 +all" |
| - | (Hard) Fail = The address failed the test; bounce any e-mail that does not comply. Example: "v=spf1 -all" |
| ~ | Soft Fail = The address failed the test, but the result is not definitive; accept & tag any non-compliant mail. Example: "v=spf1 ~all" |
| ? | Neutral = The address did not pass or fail the test; do whatever (probably accept the mail). Example: "v=spf1 ?all" |
If a qualifier is not included, the + qualifier is implied.
SPF records may also define 1 of 2 modifiers; or, no modifier at all. Each modifier, however, can appear only once.
redirect | exp
SPF records are evaluated in a two-pass process: First, all mechanisms and qualifiers are evaluated. Then, all modifiers are evaluated:
- Mechanisms are evaluated from left to right;
- Modifiers are evaluated on the second pass and can occur anywhere in the record.
Mechanisms
| Mechanism | Description |
|---|---|
| all | Matches all local and remote IPs and goes at the end of the SPF record. Example: "v=spf1 +all" |
| ip4 | Specifies a single IPv4 address or an acceptable IPv4 address range. A mask of /32 is assumed if no prefix-length is included. Example: "v=spf1 ip4:192.168.0.1/16 -all" |
| ip6 | Same concept found in ip4, but, obviously, with IPv6 addresses, instead. If no prefix-length is given, /128 is assumed (singling out an individual host address). Example: "v=spf1 ip6:1080::8:800:200C:417A/96 -all" |
| a | Specifies all IPs in the DNS A record. Example: "v=spf1 a:domain.com -all" |
| mx | Specifies all A records for each host's MX record. Example: "v=spf1 mx mx:domain.com -all" |
| ptr | Specifies all A records for each host's PTR record. Example: "v=spf1 ptr:domain.com -all" |
| exists | Specifies one or more domains normally singled out as exceptions to the SPF definitions. An A query is performed on the provided domain; if a result is found a match occurs. Example: "v=spf1 exists:domain.com -all" |
| include | Specifies other domains that are authorized domains. Example: "v=spf1 include:outlook.microsoft.com -all" |
The "all" Mechanism
The all mechanism usually goes at the end of the SPF record; and it is prefixed with a qualifier, e.g.
| Examples | Description |
|---|---|
| "v=spf1 mx -all" | Allows the domain's MX hosts to send mail for the domain, and prohibits all other hosts. |
| "v=spf1 -all" | The domain sends no mail at all. |
| "v=spf1 +all" | This SPF is useless, as it does not limit the hosts that are authorized to send e-mail. |
Modifiers
Modifiers are optional and a modifier may appear only once per record. Unknown modifiers are ignored.
The “redirect” modifier sends the inquiry to another domain.
redirect=example.com
That is, the SPF record for example.com replaces the SPF record for the current domain. The redirect modifier is useful to those that wish to apply the same record to multiple domains. For example:
| Sample entry in ny.yourdomain.com's zone file: | TXT @ "v=spf1 redirect=_spf.yourdomain.com" |
| Sample entry in sf.yourdomain.com's zone file: | TXT @ "v=spf1 redirect=_spf.yourdomain.com" |
| Sample entry in am.yourdomain.com's zone file: | TXT @ "v=spf1 redirect=_spf.yourdomain.com" |
| Sample entry in _spf.yourdomain.com's zone file: | TXT @ "v=spf1 mx:yourdomain.com -all" |
For clarity, it is RECOMMENDED that any "redirect" modifier appear as the very last term in a record.
The "exp" modifier sets up an explanation in the SPF record.
exp=[macro-string]
If an SPF query produces a FAIL result, the explanation is queried and the explanation string provides more information to the nonconforming user. The explanation is typically placed in an SPF log. Example: exp=spf-error. An SPF publisher can specify the explanation string that senders see. This way, an ISP can direct nonconforming users to a web page that provides further instructions.
Putting it all together
Although you do not need an SPF record on your DNS server to evaluate incoming email against SPF policies published on other DNS servers, the best practice is to set up an SPF record on your DNS server. Setting up an SPF record lets other email servers use SPF filtering (if the feature is available on the mail server) to protect against incoming email from spoofed, or forged, email addresses that may be associated with your domain. As SPF records are implemented more widely, SPF filtering will become more effective at identifying spoofed email messages.
As always, if you need help setting up your SPF record, look to the DigitalOcean Community for assistance by posing your question(s), below.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
About the author(s)
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
Get our newsletter
Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.
New accounts only. By submitting your email you agree to our Privacy Policy
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.
Configurei o postfix, o gmail não recebe, qual seria a melhor opçao?
TXT @ “v=spf1 mx a ~all”
?
@schroeder.noia: Did you follow a specific article on setting up postfix?
Also, try changing your TXT record to this:
<pre>TXT @ “v=spf1 mx a ip4:<strong>yourdropletsip</strong> ~all”</pre>
Replace yourdropletsip with your droplet’s IP.
In DO DNS TXT record there are 2 fields >enter name >enter text so what values should be placed where?? Is the SPF records to be added for only for main domain or it is need for each and every addon domain?
My DKIm looks like below so what and where do I put these things? <pre> 2012513._domainkey IN TXT ( “v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLuSAevWarq/x” “y98wA0gz6kDDKYjgppYUJuyQ/dWvsvi2yX8gEnXS1yI91A/NmjEomzE90BHSBrgSEv3rxmNViVrN5HU7” “jki1Xja5dNzxwYip9zRLACauG2ZVzagcFZd8EORaLUZhlkkiiiutuytiuyiuyuyATHz0ofJ9ope0Wzu62XCqzB3pmLR5GPM7Lvh”"y6CDW85gIE9JWEbbk8YI/wzxtphfD77tOkDsNDAGul3mhMKFBb1b8unjUIOQSrbv6GSnw9RkAh/PXKr8"“97uO19Ql0CCRltcGZOIFc4DLk3hWRi/SBKomJ+ZSSbOzr45Jkn/iYepr9kxtVSfygR8xrgJd+BSfJIzr”“KI8qnH9kQIDAQAB” ) </pre>
@shyamsukhamit: TXT name: _domainkey Text: “v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLuSAevWarq/x”
You’ll need to add them for every addon domain.
just 1 more clarifu\ication as you mentioned that name should be " _domainkey" shouldn’t it be “2012513._domainkey” and should the text be only the “p=xxxxxxxxxxxxxxxx”.
According to the article what is the difference between my txt record(which contains long code" and "TXT @ “v=spf1 a include:_spf.google.com ~all” and where it should be entered if it is required?
This article is about SPF records. You’re trying to add a DKIM record which is a completely different thing. Where did you get that DKIM config from? I’ve just checked it and it appears to be invalid.
Yes this is DKIM key, I got it from webmin >email messages > dkim… Sorry I totally messed it up. Can you please tell me from where do I get the spf record and what do I add in DO DNS TXT record?
and please let me know what should be done for DKIM?
Thanks for your help.
You don’t get an SPF record – you usually build it yourself. Read this article.
Please take a screenshot of webmin’s DKIM page
In DO DNS TXT RECORD I have entered NAME=@ and text= “v=spf1 mx:yourdomain.com -all” is that the correct way of inputting the value @kamal?
I Think that DKIM is also added in TXT record of the DNS am I correct? that values I have put above are little bit modified. If you want I can pastebin the content of the DKIM.
Thanks for the help
Or I should replace the yourdomain.com with droplet IP?
@shyamsukhamit: Replace <pre>mx:yourdomain.com</pre> with <pre>ip4:yourdroplet’sip</pre> – the rest is correct.
Did webmin create the DKIM keys for you?
No I generated the DKIM key through virtualmin (sorry I mentioned webmin in above comments). There is interface to genearte DKIM keysfor the domain
DO I need to add TXT records for DKIM keys that I have generated through virtualmin ? If yes please let me know how to do it. My emails are still going to spam.
Thanks.
Yes, you need to add them.
Can you please take a screenshot of that interface?
Thanks kamal, but what values should be added in TXT records “text value” & “name value”? Here is the link to screen shot http://imagebin.org/267024
@shyamsukhamit: Try decreasing the DKIM key’s size to 1024 bits. Paste the new one
@kamal . Thanks Till now I haven’t pasted the DKIM Keys in TXT records of DNS ,but my emails are now reaching Inbox instead of spam. Do I still need to go for DKIM txt record creation in DNS
It’s optional. I’d say you keep an eye on your emails and if some of them go to spam, go for DKIM keys.
Thanks @kamal. I will do that.
HI!
I need to know how many emails per day i can send with a vps? (spam free, all users agree reception)
its necesary to use more than one vps? additional cost?
Thanks!
@customprintcba: We do not limit email traffic however we treat abuse reports seriously.
Thanks for the helpful article. After adding the TXT record, do I have to wait a certain amount of time before it gets recognized when sending e-mails?
I added the record to one of my domains, sent a test e-mail to Gmail, and the Received-SPF field was ‘neutral’. I was hoping it would read ‘pass’.
schmidtg - “I added the record to one of my domains, sent a test e-mail to Gmail, and the Received-SPF field was ‘neutral’. I was hoping it would read ‘pass’.”
Remember that these are for confirming sent to and within your own domain, and not generally for someone else to confirm that you are you. You did not put your SPF record on their server. The only SPF record that would seem to affect others would be (“v=spf1 -all” The domain sends no mail at all.).
This is helpful – Site to autogenerate SPF record:
http://www.royhochstenbach.com/projects/spfgenerator/
Note that it is no longer necessary to wrap the TXT record SPF contents in quotes. In fact, doing so will cause a syntax error, preventing your SPF rule from being recognized.
I have successfully created my SPF record, but I don’t know how to add it to my DNS server. My organization has its own DNS servers that I should be able to access.
@boss2u: It should be added as a TXT record with the name of “@”.
Can I request you to remove references to “v=spf1 +all”, as this is really very bad practice! Instead of +all, please suggest the ‘neutral’ ~all, as +all -encourages- spoofing, contradicting the title of your article…
You state “+all - This SPF is useless, as it does not limit the hosts that are authorized to send e-mail.” It’s not useless, it is pure evil, as this allows spammers to send out e-mails on your behalf!
Hi, how can i find or generate my DKIM key? i don’t know how to add the DKIM record to DigitalOcean’s DNS control panel for my domain… how can i do that?
i have followed this tutorial ( https://www.digitalocean.com/community/articles/how-to-install-iredmail-on-ubuntu-12-04-x64) until this step: Reboot your droplet after completion.
and i cant seem to do the next step…
@joao: What have you tried? Can you upload a screenshot of your current config to imgur?
Hi Kamal, I am total newbie. Very confused with email. Yesterday I tried to successfully setup live.com (outlook) email account for my domain. After that, I realized wordpress still couldn’t send email so today I installed postfix. Now I can send email from sendmail command to gmail. But it goes to spam folder. I then followed this spf record setting but no luck. Emails still go to spam folder. Any suggestion?
@Kamal, sorry forgot the imgur link. This is my DNS setting > http://imgur.com/flISby7
How to setup for live.com (outlook)?
In The DNS Manager does ‘@’ go in the ‘enter name’ field or ‘enter text’ field?
Ok so this is about SPF, but to successfully send the emails to users inboxes, I need to consider the other as well? If yes, where to find the information about others? Is there any easy to use guide, or will have to dig through all the documentation? :(
@Hardik: What do you mean by “the other”?
@gustavosbarreto: Check out <a href=“http://help.outlook.com/140/cc188656.aspx”>http://help.outlook.com/140/cc188656.aspx</a>.
@raffanello: The ‘@’ goes in the name.
Hello Kamal, I use amazon SES. Do I need to set an SPF Record? Thanks!
Hi Kamal,
I have Zpanel installed (yes i know i shouldnt done it) But now the email it´s only available on a webmail from the zpanel and there is a problem with the filtering. So following I reach this thread, Now I only understand that i can use the txt and write this v=spf1 a include:_spf.google.com ~all" Is this correct? how can i access the email away from webmail , or setup a smtp like i always had?
Sorry for being a noob.