SPF

From DreamHost
Jump to: navigation, search

Overview

Sender Policy Framework (SPF) DNS records can be created to help prevent spammers from disguising themselves as you. This is a method called spoofing where a spammer alters the message header details to show the message coming ‘From’ a different email address than the one actually sending it. This results in replies and rejections that are sent to your email address for mail you never actually sent.

For more details regarding the message spoofing, please refer to the following article:

Sender Domain Policy and Spoofing

How does SPF work?

Mail servers that receive an email for delivery can check SPF by comparing the sending server's IP address against the email's envelope sender's SPF DNS record. If the email was sent from a server that is not included in that SPF record, the email is more likely to be spoofed or untrustworthy. The receiving mail server may handle the email differently because of the SPF failure, such as marking the email as spam or rejecting the email.

By default, your domain is not set up with an SPF record. Since you can choose to host your domain’s mail hosting with any mail provider you wish, you’d need to configure that host’s SPF record to your domain. Each domain can only have one SPF record, and you may need to include information from many different servers, such as mail servers, your web server, a marketing company that sends out newsletters to your customers – any server that you want to allow to send mail as your domain.

Adding SPF to your domain

Note2 icon.png Note: If you are not using DreamHost nameservers, you must set up the SPF records with the current DNS provider instead.


  1. Navigate to the (Panel > ‘Domains’ > ‘Manage Domains’) page.
    01 SPF.fw.png
  2. Click the ‘DNS’ link under the domain.
    The ‘Manage Domains’ page opens for this domain.
    02 DNS edit screen.fw.png
    Description of fields:
    • Name: This is designated for the sub-domain – if it applies to the main domain, leave this field blank.
    • Type: From the dropdown menu, select TXT.
    • Value: Enter the SPF record.
    • Comment: This field is optional. You can include ‘SPF’ here if you’d like or leave it blank.
  3. Click the Add Record Now! button to save that record

Allow up to 6 hours for the DNS record to propagate after you save the record.

Note2 icon.png Notes:
  • Keep in mind that SPF treats subdomains (such as sub.example.com) separately – see SPF subdomain FAQ. Thus, you may wish to specify SPF records both for example.com (leave host name empty – it may appear as .example.com) and any hosts such as yourhost.example.com – wildcards for TXT aren’t supported by DreamHost, and are discouraged anyway. See RFC 4408 §3.1.5.
  • Wildcard for TXT records are not supported by DreamHost. This is generally discouraged as well as stated in the following article: RFC 4408 §3.1.5.


Basic SPF records

Email can be sent from various accounts. If you are only sending email from your account on the mail server, you only need to include the information for those mail servers in your domain's SPF record.

  • Websites sending email can be set up to send either using a web email script or SMTP.
  • The SPF record you set up for your email address on the mail server still apply to the mail sent from the website if it’s sending via SMTP.
  • However, mail sent using a mail script is sent through the web server, so you’ll need to include the web server IP address in the SPF record so the web server’s sending IP is applied as well.

The basic information needed for your domain's SPF record to permit the mail servers should be provided to you by your mail host.

The current dreamhost.com SPF information is incomplete and does not include all of DreamHost's mail servers.

You can use the following include mechanism in your domain's SPF record to cover all DreamHost IP addresses:

include:netblocks.dreamhost.com

For Google hosted mail users, the following link provides details on what to put in your domain's SPF record to permit Google’s mail servers:

For other hosts, you must contact them for details on their SPF information.

When is basic SPF not enough?

There are a few cases when a basic SPF record is not enough:

  • If you send email from your website and don't use SMTP, you should add your webserver's IP address to the SPF record.
  • If you use a mass-mailing service, you should add that provider's servers to your SPF record.

Remember that a domain can only have one SPF record, so you'll need to combine all of the information into a single record. The Advanced SPF section below has some information on how to build an SPF record and what each part of the record means.

Advanced SPF

An advanced SPF record includes more than just the default mail servers: it also has information on all other servers that send mail for the domain. The following is an example of an advanced SPF record:

v=spf1 ip4:321.321.321.321 include:_spf.google.com include:shaw.ca mx -all
Tag Description
v=spf1
Identifies this DNS record as an SPF version 1 record.
ip4:321.321.321.321
IP address of a specific server, such as your web server for scripts that send mail directly from that server. You can get your web server IP from the ‘Manage Domains’ page. View the DNS article for details.
include:_spf.google.com
Includes all of the SPF records from Google, which in this example, is where the domain's mail service is hosted.
include:shaw.ca
Includes all the SPF records for Shaw Cable in Canada, an ISP. In this example, mail from the domain is sometimes sent through the ISP's SMTP server.
mx
Includes all of the MX servers the domain uses, listed in the domain's MX DNS records.
-all
Says all other servers are not authorized, and only mail sent from the listed servers will 'pass'.
-all (dash) or ~all (tilda) or ?all

The symbol before "all" indicates how strict the SPF record is enforced.

  • ?, question mark, makes the whole record inactive, as though the domain had no SPF record at all.
  • -, dash, makes the record strict, and any mail from servers not listed will be marked "fail" and may be marked as spam or rejected entirely.
  • ~, tilda, is between the other two options in strictness. Any mail from servers not listed will be marked "softfail". While intended for testing, it is recommended to be used to avoid delivery issues as noted in this article.

The following table shows SPF information for various mail providers that are in popular use:

Provider SPF Information
Campaign Monitor
include:cmail1.com
Constant Contact
include:spf.constantcontact.com
Freshbooks
include:_spf.freshbooks.com
Google
include:_spf.google.com
Hostgator
include:websitewelcome.com
MailChimp
include:servers.mcsv.net
Microsoft/Hotmail
N/A (uses SenderID)
Shaw Communications Ltd.
include:shaw.ca
Telus
include:telus.net

Testing your SPF record

There are a few ways to test your SPF record before and after creating it:

A note about the envelope sender

When SPF checks are handled by the recipient host, the validation is done on the envelope sender, and not on the actual header details. Information regarding the difference between the 'envelope' sender and the actual 'from' header details is outlined here:

See also