SPF

From DreamHost
Jump to: navigation, search

Background Information

SPF, or Sender Policy Framework, helps stop spammers from masquerading as you!

SPF info is a DNS record that says “I only send e-mail from these machines – if it’s not from one of these, it’s fake!

To be all geeky, it fights return-path address forgery and makes it easier to identify spoofed e-mails. This is because domain owners identify all mail servers that send e-mail on their behalf within their DNS entries. Mail servers that receive SMTP e-mail verify the envelope sender address against the information in DNS, and thus can distinguish between authentic messages and forgeries before any message data is transmitted.

Dreamhost doesn’t add any SPF records automatically because only you know where you send mail from. Each domain can only have one SPF record, and you may need to include information from many different servers, such as mail servers, your web server, a marketing company that sends out newsletters to your customers, any server that you want to allow to send mail as your domain.

How to add SPF to your domain

SPF uses a text, or TXT, DNS record. You can add these in the DreamHost Control Panel. Convenient, no?

  1. Visit the Manage Domains page in Control Panel, and click the "[DNS]" link for the domain you wish to edit. You'll be taken to the domain management page.
  2. In the "Add a new DNS record..." box, verify that the correct domain appears.
    • Keep in mind that SPF treats subdomains (such as sub.example.com) as separate – see SPF subdomain FAQ. Thus you may wish to specify SPF records both for example.com (leave host name empty – it may appear as .example.com) and any hosts like yourhost.example.com – wildcards for TXT aren’t supported by DreamHost, and are discouraged anyway in RFC 4408 §3.1.5.
  3. Paste your SPF record in the "Value:" text box
  4. Add a comment if you wish, such as “SPF (Sender Policy Framework)”.
  5. From the "Type:" pulldown, choose "TXT"
  6. Click the "Add Record Now!" button.

This will add the SPF information to your domain's DNS on DreamHost's nameservers. If your domain uses external nameservers, such as those from another domain registrar, you'll need to enter the SPF information into that system.

Basic SPF records - just the mail servers, please

If you only send emails from your mail accounts on the mail servers, that's all you need to put in the SPF record. If your website sends emails using SMTP, those emails are sent from your mail accounts on the mail server and will be covered too.

Your SPF record will come from your domain's mail provider, where your domain's mail service is hosted.

  • Regular DreamHost-hosted mail service: The current dreamhost.com SPF record is incomplete and does not include all of DreamHost's mail servers. It only includes servers used to send mail for @dreamhost.com addresses.
    • The mail admins are working on an SPF record for hosted domains so that it is accurate and is kept automatically updated with any changes.
    • Until that work is complete, what you can use is include:netblocks.dreamhost.com to get all of DreamHost’s IP space. In the words of Andrew F: “this is perhaps broader than appropriate for some sites — it authorizes any DreamHost IP address to send mail on behalf of your domain, regardless of whether that address is involved with your site (or should be sending mail) at all.”
    • Dreamhost IP Range: You may need to know the potential IP sources of Dreamhost SMTP connections. For example, if you wish to set up a firewall exception allowing SMTP from Dreamhost while blocking others. The following whois query will provide a reasonably accurate list whois -h whois.arin.net 'e ! > NDN'. This query may not contain all possible sources of Dreamhost SMTP connections, so should not be used in an SPF record except perhaps for testing.
  • Google Apps / Gmail: Google's support website has an SPF record for Google's mail servers.
  • Custom MX for another mail host: Your mail provider may have a basic SPF record that includes all their mail servers.

When is basic SPF not enough?

  • If you send emails from your website and don't use SMTP, you should add your webserver's IP address to the SPF record.
  • If you use a mass-mailing service, you should add that provider's servers to your SPF record.

Remember that a domain can only have one SPF record, so you'll need to combine all the information into a single record. The Advanced SPF section below has information on how to build an SPF record and what each part means.

Advanced SPF

An advanced SPF record includes more than just the default mail servers, it has information on all other servers that send mail for the domain. This is an example of an advanced SPF record:

v=spf1 ip4:321.321.321.321 include:_spf.google.com include:shaw.ca mx -all
v=spf1 Identifies this DNS record as an SPF version 1 record.
ip4:321.321.321.321 IP address of a specific server, such as your webserver for scripts that send mail directly from your webserver. You can get your server IP from the first "A" record under "DNS" for your domain.
include:_spf.google.com Includes all the SPF records from Google, in this example where the domain's mail service is hosted.
include:shaw.ca Includes all the SPF records for Shaw Cable in Canada, an ISP. In this example mail from the domain is sometimes sent through the ISP's SMTP server.
mx Includes all of the MX servers the domain uses, listed in the domain's MX DNS records.
-all Says all other servers are not authorized, and only mail sent from the listed servers will 'pass'.

-all (dash) or ~all (tilda) or ?all

The symbol before "all" indicates how strict the SPF record will be enforced.

  • ?, question mark, makes the whole record inactive, as though the domain had no SPF record at all.
  • -, dash, makes the record strict, and any mail from servers not listed will be marked "fail" and may be marked as spam or rejected entirely.
  • ~, tilda, is between the other two options in strictness. Any mail from servers not listed will be marked "softfail". While intended for testing, some folks recommend using it to avoid delivery problems.

This table has the SPF information of various mail providers that other folks have used:

Provider SPF Information
Campaign Monitor include:cmail1.com
Constant Contact include:spf.constantcontact.com
Freshbooks include:_spf.freshbooks.com
Google include:_spf.google.com
Hostgator include:websitewelcome.com
Mailchimp include:servers.mcsv.net
Microsoft/Hotmail N/A (uses SenderID)
Shaw Communications Ltd. include:shaw.ca
Telus include:telus.net

Testing your SPF record

Note about envelope sender

A subtle point, if sending from host.yourdomain.com, is whether your email client is sending MAIL RCPT as user@host.yourdomain.com or as user@yourdomain.com (does it include or exclude host?) – this is an issue if you can’t set (or don’t want to set) an SPF record for each host, for example if using dynamic DNS where your actual host record is a CNAME – and the dynamic DNS registrar doesn’t provide TXT records.

You can check which MAIL RCPT is being sent by sending an email to an email address that does SPF validation, such as Gmail, and then checking the smtp.mail field in the Authentication-Results: header. How to change this depends on the client, and may be tricky.

Related Sites