SPF, or Sender Policy Framework, helps stop spammers from masquerading as you!
SPF info is a DNS record that says “I only send e-mail from these machines – if it’s not from one of these, it’s fake!”
To be all geeky, it fights return-path address forgery and makes it easier to identify spoofed e-mails. This is because domain owners identify all mail servers that send e-mail on their behalf within their DNS entries. Mail servers that receive SMTP e-mail verify the envelope sender address against the information in DNS, and thus can distinguish between authentic messages and forgeries before any message data is transmitted.
Dreamhost doesn’t add any SPF records automatically because only you know where you send mail from. Each domain can only have one SPF record, and you may need to include information from many different servers, such as mail servers, your web server, a marketing company that sends out newsletters to your customers, any server that you want to allow to send mail as your domain.
How to add SPF to your domain
SPF uses a text, or TXT, DNS record. You can add these in the DreamHost Control Panel. Convenient, no?
- Visit the Manage Domains page in Control Panel, and click the "[DNS]" link for the domain you wish to edit. You'll be taken to the domain management page.
- In the "Add a new DNS record..." box, verify that the correct domain appears.
- Keep in mind that SPF treats subdomains (such as sub.example.com) as separate – see SPF subdomain FAQ. Thus you may wish to specify SPF records both for example.com (leave host name empty – it may appear as .example.com) and any hosts like yourhost.example.com – wildcards for TXT aren’t supported by DreamHost, and are discouraged anyway in RFC 4408 §3.1.5.
- Paste your SPF record in the "Value:" text box
- Add a comment if you wish, such as “SPF (Sender Policy Framework)”.
- From the "Type:" pulldown, choose "TXT"
- Click the "Add Record Now!" button.
This will add the SPF information to your domain's DNS on DreamHost's nameservers. If your domain uses external nameservers, such as those from another domain registrar, you'll need to enter the SPF information into that system.
Basic SPF records - just the mail servers, please
If you only send emails from your mail accounts on the mail servers, that's all you need to put in the SPF record. If your website sends emails using SMTP, those emails are sent from your mail accounts on the mail server and will be covered too.
Your SPF record will come from your domain's mail provider, where your domain's mail service is hosted.
- Regular DreamHost-hosted mail service: The current dreamhost.com SPF record is incomplete and does not include all of DreamHost's mail servers. The mail admins are working to revamp this SPF record so that it is accurate and is kept automatically updated with any changes, but until their work is complete SPF should not be used with domains that use DreamHost-hosted mail service.
- Google Apps / Gmail: Google's support website has an SPF record for Google's mail servers.
- Custom MX for another mail host: Your mail provider may have a basic SPF record that includes all their mail servers.
When is basic SPF not enough?
- If you send emails from your website and don't use SMTP, you should add your webserver's IP address to the SPF record.
- If you use a mass-mailing service, you should add that provider's servers to your SPF record.
Remember that a domain can only have one SPF record, so you'll need to combine all the information into a single record. The Advanced SPF section below has information on how to build an SPF record and what each part means.
An advanced SPF record includes more than just the default mail servers, it has information on all other servers that send mail for the domain. This is an example of an advanced SPF record:
v=spf1 ip4:321.321.321.321 include:_spf.google.com include:shaw.ca mx -all
|v=spf1||Identifies this DNS record as an SPF version 1 record.|
|ip4:321.321.321.321||IP address of a specific server, such as your webserver for scripts that send mail directly from your webserver. You can get your server IP from the first "A" record under "DNS" for your domain.|
|include:_spf.google.com||Includes all the SPF records from Google, in this example where the domain's mail service is hosted.|
|include:shaw.ca||Includes all the SPF records for Shaw Cable in Canada, an ISP. In this example mail from the domain is sometimes sent through the ISP's SMTP server.|
|mx||Includes all of the MX servers the domain uses, listed in the domain's MX DNS records.|
|-all||Says all other servers are not authorized, and only mail sent from the listed servers will 'pass'.|
-all (dash) or ~all (tilda) or ?all
The symbol before "all" indicates how strict the SPF record will be enforced.
- ?, question mark, makes the whole record inactive, as though the domain had no SPF record at all.
- -, dash, makes the record strict, and any mail from servers not listed will be marked "fail" and may be marked as spam or rejected entirely.
- ~, tilda, is between the other two options in strictness. Any mail from servers not listed will be marked "softfail". While intended for testing, some folks recommend using it to avoid delivery problems.
This table has the SPF information of various mail providers that other folks have used:
|Microsoft/Hotmail||N/A (uses SenderID)|
|Shaw Communications Ltd.||include:shaw.ca|
Testing your SPF record
- SPF Record Testing Tools has a tester for verifying the syntax of a record before you add it, and a DNS lookup to check that the record has been published.
- Test the SPF record using Gmail or Yahoo by sending an email to there from all the sources from which you send email.
- Test by sending an email to an automated testing tool from all the sources from which you send email.
Note about envelope sender
A subtle point, if sending from host.yourdomain.com, is whether your email client is sending MAIL RCPT as email@example.com or as firstname.lastname@example.org (does it include or exclude host?) – this is an issue if you can’t set (or don’t want to set) an SPF record for each host, for example if using dynamic DNS where your actual host record is a CNAME – and the dynamic DNS registrar doesn’t provide TXT records.
You can check which MAIL RCPT is being sent by sending an email to an email address that does SPF validation, such as Gmail, and then checking the smtp.mail field in the Authentication-Results: header. How to change this depends on the client, and may be tricky.