How can I create an SPF record for my domain?

Overview

Sender Policy Framework (SPF) is a method of fighting spam. As more time passes, this protocol will be used as one of the standard methods of fighting spam on the Internet. An SPF record is a TXT record that is part of a domain's DNS zone file. The TXT record specifies a list of authorized host names/IP addresses that mail can originate from for a given domain name. Once this entry is placed within the DNS zone, no further configuration is necessary to take advantage of servers that incorporate SPF checking into their anti-spam systems. This SPF record is added the same way as a regular A, MX, or CNAME record.

The authoritative source for this information can be found here: http://www.openspf.net/SPF_Record_Syntax.

Requirements

Your domain must be using (mt) nameservers:

• NS1.MEDIATEMPLE.NET
• NS2.MEDIATEMPLE.NET

For information on how to confirm this for your domain, see this article: Performing a WHOIS search.

Example record

As a courtesy, we've come up with a generic SPF record that should work quite effectively for you.

v=spf1 a mx ptr include:xxx.xxx.xxx.xxx include:secureserver.net -all

v=spf1 a mx ptr include:secureserver.net -all

v=spf1 include:spf.mail01.mtsvc.net -all

v=spf1 a mx ip4:xxx.xxx.xxx.xxx -all

v=spf1 include:spf.mail01.mtsvc.net include:adelphia.net -all

Instructions

1. Log into your Account Center.
2. Navigate to the Edit DNS Zone Page Edit DNS Zone Page Edit DNS Zone Page for your desired domain.
3. Select the + Add Row button to create a new record. Set the type to TXT and enter your SPF record in the right column.
   

   v=spf1 a mx ptr include:xxx.xxx.xxx.xxx include:secureserver.net -all

   v=spf1 include:spf.mail01.mtsvc.net -all

   Be sure to replace xxx.xxx.xxx.xxx with your server's IP address.

   v=spf1 a mx ip4:xxx.xxx.xxx.xxx -all

4. Click Save to commit the changes.

You can also use this SPF wizard: http://spfwizard.com/.

Stop receiving spoofed emails and bouncebacks

Spamming with a fake reply-to address (yours) is called "spoofing." Since the email appears to be coming from your server, complaints and bouncebacks from the spam will often be redirected to your server, rather than the actual spammer. You may also receive some of the original spam - spam that appears to be coming from you!

Adding an SPF record to your zone file is the best way to stop spammers from using this technique with your domain. An SPF record will eliminate a high proportion of the bouncebacks you've been getting, because other mail providers will reject the email immediately without sending a bounceback to the (spoofed) reply-to address. While the SPF record is not 100% effective, because not all mail providers check for it, you should notice a drastic decrease in the amount of bouncebacks you receive.

If you are also receiving the original spoofed emails (that look like spam coming from yourself) you can add the spammer to your block list. You will need to look at the header from one of the spam emails. Look for the very last line that starts with Received. You want to check for the IP address or domain that the message is coming from, not to or received by. Add this IP or domain to your block list in your spam filter.

• How do I set up spam filtering for my server?
• How do I set up spam filtering for my server?
• Block email from a specific domain or TLD

If you look at your header and find out that the spam actually is coming from your own server, you should proceed to our Security Resources article, as this may indicate a compromise.

Activate incoming mail SPF filtration on DV

Plesk

Enable incoming SPF Filtration

Your DV can be set up to accept messages only from senders that can pass varying degrees of SPF verification. This is useful for avoiding large amounts of unsolicited error messages, spam from forged email addresses, and other auto-reply clutter.

1. Navigate to the Server Management - Tools & Settings area of Plesk
   
2. Access your Mail Server Settings from the Mail menu.
   
3. Enable the option Switch on SPF spam protection.

From this point, you can choose between a few different types of SPF checking modes.

Here is a bit more info on the different SPF filtration options:
• The Only create Received-SPF headers, never block option will accept all incoming messages regardless of SPF check results.
• The Use temporary error notices when you have DNS lookup problems option will accept all incoming messages, regardless of SPF check results. It will send an error notice if an SPF check failed due to DNS lookup problems.
The option

Reject mail when SPF resolves to "fail" (deny)

(deny) will reject messages from senders who are not authorized to use the domain in question. This would be a good option to use if you are noticing large amounts of spoofing spam.
• The option Reject mail when SPF resolves to "fail" (deny) will reject the messages that are most likely from senders who are not authorized to use the domain in question. This is a bit more strict, and may not be necessary to activate. We recommend allowing some time with a less strict setting to see if that resolves the issue first.
• To reject the messages from senders who cannot be identified by the SPF system as authorized or not authorized because the domain has no SPF records published, choose the option Reject mail when SPF resolves to neutral. This setting is not usually recommended, as not all domains have SPF records, and you may miss traffic from legitimate sources.
• To reject the messages that do not pass SPF check for any reason (for example, when sender's domain does not implement SPF and SPF checking returns the "unknown" status), select the option Reject mail when SPF does not resolve to "fail" (deny). This strictness level is not usually recommended.
1. If you need to specify additional rules that are applied by the spam filter before the SPF check is actually done by the mail server, type the rules you need in the SPF local rules box. While configuration on this level is outside of what (mt) Media Temple supports, for more information on SPF rules visit: http://tools.ietf.org/html/rfc4408.
2. To specify the rules that are applied to domains that do not publish SPF records, type the rules into the SPF guess rules box.
3. If you'd like to specify a notice that is returned to the sender when a message is rejected for failing SPF, type it into the SPF explanation text box. If nothing is specified, the default bounceback error text will be used for notification.
4. To save your changes, click OK at the bottom of the menu.

 

cPanel

cPanel provides a simple interface for generating an SPF for outgoing mail protection. These steps must be completed for each domain that you would like to enable protection. 

For SPF records

1. Log into cPanel and select Authentication from the email menu. 

2. Scroll down to the SPF section and click Enable. 

3. Scroll to the bottom and apply your new settings by clicking Update. 

To enable DKIM protection for incoming mail, repeat these steps but select DKIM. 

 

Alternate/Additional Domains

If you'd like to set up SPF records for an Alternate Domain, please make sure that you are adding the TXT record to the proper zone. The SPF record for my-example-domain-2.com does not belong in example.com's DNS zone listing, but rather in the DNS zone of that same domain. This must be done for each domain you'd like to use SPF on as well. Simply setting it up for just the primary domain of your server will not have any impact on the SPF status of your other domain names on that same server.