Support / KnowledgeBase

 
Search the KnowledgeBase Search

How can I create an SPF record for my domain?

  • Applies to: (ve), All DV, Domain Registrations, DV, DV Developer, Grid

  • Difficulty: Easy

  • Time needed: 10 minutes

  • Tools needed: AccountCenter access

 
  • Applies to: Grid
    • Difficulty: Easy
    • Time: 10
    • Tools needed: Account Center access
  • Applies to: All DV
    • Difficulty: Easy
    • Time: 10
    • Tools needed: Account Center access
  • Applies to: (ve)
    • Difficulty: Easy
    • Time: 10
    • Tools needed: Account Center access
  • Applies to: Premium WordPress
    • Difficulty: Easy
    • Time: 10
    • Tools needed: Account Center access

Overview

Sender Policy Framework (SPF) is a method of fighting spam. As more time passes, this protocol will be used as one of the standard methods of fighting spam on the Internet. An SPF record is a TXT record that is part of a domain's DNS zone file. The TXT record specifies a list of authorized host names/IP addresses that mail can originate from for a given domain name. Once this entry is placed within the DNS zone, no further configuration is necessary to take advantage of servers that incorporate SPF checking into their anti-spam systems. This SPF record is added the same way as a regular A, MX, or CNAME record.

The authoritative source for this information can be found here: http://www.openspf.net/SPF_Record_Syntax.

Requirements

Your domain must be using (mt) nameservers:

  • NS1.MEDIATEMPLE.NET
  • NS2.MEDIATEMPLE.NET

For information on how to confirm this for your domain, see this article: Performing a WHOIS search.

READ ME FIRST

This article is provided as a courtesy. Installing, configuring, and troubleshooting custom DNS settings is not supported by (mt) Media Temple. Please take a moment to review our Statement of Support.

Example record

As a courtesy, we've come up with a generic SPF record that should work quite effectively for you.

v=spf1 include:spf.mail01.mtsvc.net -all

Be sure to replace xxx.xxx.xxx.xxx with your server's IP address.

v=spf1 a mx ip4:xxx.xxx.xxx.xxx -all

NOTE:

If you send email through your mail servers at (mt) and also through another mail server (such as your ISP's mail server in the case of restricted port 25 access), you can add an "include:" mechanism in your SPF record to include the SPF records for the servers you use. For example:

v=spf1 include:spf.mail01.mtsvc.net include:adelphia.net -all

The above would work if your domain name is gs-example.com and you also send mail through adelphia.net's mail servers.


Before including your ISP in this manner, you must make sure that the domain you provide also has an SPF record set up. You can check this at http://dnsstuff.com/, http://www.kitterman.com/spf/validate.html or other third-party services by doing a DNS lookup for TXT. If you are using Google Apps for your domain, please see the following guide at http://www.google.com/support/a/bin/answer.py?answer=178723

Instructions

  1. Log into your Account Center.
  2. Select your domain name from the Domains drop-down or click "Show All" for a complete list, if your domain does not appear.

    Domains

  3. Click the Edit DNS Zone File option under the DNS & Zone Files menu.

    Edit DNS Zone File

  4. Click + Add Row to create a new record. Set the type to TXT and enter your SPF record in the right column.

    SPF Record

    v=spf1 include:spf.mail01.mtsvc.net -all

    Be sure to replace xxx.xxx.xxx.xxx with your server's IP address.

    v=spf1 a mx ip4:xxx.xxx.xxx.xxx -all
  5. Click Save to commit the changes.

You can also use this SPF wizard: http://spfwizard.com/.

Stop receiving spoofed emails and bouncebacks

Spamming with a fake reply-to address (yours) is called "spoofing." Since the email appears to be coming from your server, complaints and bouncebacks from the spam will often be redirected to your server, rather than the actual spammer. You may also receive some of the original spam - spam that appears to be coming from you!

Adding an SPF record to your zone file is the best way to stop spammers from using this technique with your domain. An SPF record will eliminate a high proportion of the bouncebacks you've been getting, because other mail providers will reject the email immediately without sending a bounceback to the (spoofed) reply-to address. While the SPF record is not 100% effective, because not all mail providers check for it, you should notice a drastic decrease in the amount of bouncebacks you receive.

If you are also receiving the original spoofed emails (that look like spam coming from yourself) you can add the spammer to your block list. You will need to look at the header from one of the spam emails. Look for the very last line that starts with Received. You want to check for the IP address or domain that the message is coming from, not to or received by. Add this IP or domain to your block list in your spam filter.

If you look at your header and find out that the spam actually is coming from your own server, you should proceed to our Security Resources article, as this may indicate a compromise.

Activate incoming mail SPF filtration on DV

Enable incoming SPF Filtration

Your DV can be set up to accept messages only from senders that can pass varying degrees of SPF verification. This is useful for avoiding large amounts of unsolicited error messages, spam from forged email addresses, and other auto-reply clutter.

  1. Navigate to the Server Management - Tools & Settings area of Plesk
  2. Access your Mail Server Settings from the Mail menu.
  3. Enable the option ‘Switch on SPF spam protection’.
  4. From this point, you can choose between a few different types of SPF checking modes.
    Here is a bit more info on the different SPF filtration options:
    • The Only create Received-SPF headers, never block option will accept all incoming messages regardless of SPF check results.
    • The Use temporary error notices when you have DNS lookup problems option will accept all incoming messages, regardless of SPF check results. It will send an error notice if an SPF check failed due to DNS lookup problems.
    • The option Reject mail when SPF resolves to “fail” (deny) will reject messages from senders who are not authorized to use the domain in question. This would be a good option to use if you are noticing large amounts of spoofing spam.
    • The option Reject mail when SPF resolves to “softfail” will reject the messages that are most likely from senders who are not authorized to use the domain in question. This is a bit more strict, and may not be necessary to activate. We recommend allowing some time with a less strict setting to see if that resolves the issue first.
    • To reject the messages from senders who cannot be identified by the SPF system as authorized or not authorized because the domain has no SPF records published, choose the option Reject mail when SPF resolves to “neutral”. This setting is not usually recommended, as not all domains have SPF records, and you may miss traffic from legitimate sources.
    • To reject the messages that do not pass SPF check for any reason (for example, when sender's domain does not implement SPF and SPF checking returns the "unknown" status), select the option Reject mail when SPF does not resolve to “pass”. This strictness level is not usually recommended.
  5. If you need to specify additional rules that are applied by the spam filter before the SPF check is actually done by the mail server, type the rules you need in the SPF local rules box. While configuration on this level is outside of what (mt) Media Temple supports, for more information on SPF rules visit: http://tools.ietf.org/html/rfc4408.
  6. To specify the rules that are applied to domains that do not publish SPF records, type the rules into the SPF guess rules box.
  7. If you’d like to specify a notice that is returned to the sender when a message is rejected for failing SPF, type it into the SPF explanation text box. If nothing is specified, the default bounceback error text will be used for notification.
  8. To save your changes, click OK at the bottom of the menu.

Alternate/Additional Domains

If you'd like to set up SPF records for an Alternate Domain, please make sure that you are adding the TXT record to the proper zone. The SPF record for my-example-domain-2.com does not belong in example.com's DNS zone listing, but rather in the DNS zone of that same domain. This must be done for each domain you'd like to use SPF on as well. Simply setting it up for just the primary domain of your server will not have any impact on the SPF status of your other domain names on that same server.

 

Continue