Set up SPF

SPF (Sender Policy Framework) is used to restrict which mail servers are authorized to send email as an envelope from address for your domain name. This framework (RFC 7208) is designed to detect and block email spoofing by providing a mechanism to allow receiving mail exchangers to verify that incoming mail from a domain comes from an IP Address authorized by that domain's administrators.

The list of authorized sending hosts and IP addresses for a domain is published in the DNS records in the form of an SPF record (a specially formatted TEXT record).

Forwarding emails can sometimes break the SPF. In this case we recommend implementing an SRS component on the sending server (Sender Rewriting Scheme - http://www.open-spf.org/srs/).

Set up SPF for a Mail Assure Domain

Existing SPF record

If you have an existing SPF record, ensure the following is added between v=spf1 and -all:

include:spf.mtaroutes.com

New SPF record

If you do not have an SPF record, or you are only using Mail Assure to send outbound messages, you need to create a TXT record (DNS record type 16) with the following data:

v=spf1 include:spf.mtaroutes.com -all

The SPF record must contain each of these sections:

  • v=spf1 - this is the version of the SPF record
  • include:spf.mtaroutes.com - this allows use of the Mail Assure server SPF record
  • -all - this means to exclude everything else (cause a hard fail)

Example including your own IP address and domain:

v=spf1 ip4:1.2.3.4/32 include:spf.mtaroutes.com A:yourdomain.invalid -all

Replace the ip4 entry of 1.2.3.4/32 with your mail server IPv4 address and yourdomain.invalid with your domain.

Once the SPF record has been written, publish the SPF record (TXT record) to the authoritative DNS server for your domain. Instructions on how this can be done will differ from each domain provider. For assistance, please contact your domain provider.

Depending on your current SPF records Time to Live (TTL), this may take up to 24 hours or more to propagate.

If you have multiple sending addresses, the following external links may be used for additional formatting and guidance:

If you are using other sources for outgoing filtering, you need to make sure you modify the SPF record appropriately. The above is only suitable if all outgoing filtering is handled by Mail Assure.

Regional specific SPF records

These regional specific records are only to be used if you require a reduction to the scope of allowed IPs to a smaller geographic region.

We do not recommend using these regional records unless absolutely necessary.

If using regional SPF records, you must only add the region that was selected when adding the domain. Please contact our support team by raising a support ticket through N-AbleMe to change the region of your domain if required.

  • EU-only: spf-eu.mtaroutes.com
  • US-only: spf-us.mtaroutes.com
  • UK-only: spf-uk.mtaroutes.com
  • AU-only: spf-au.mtaroutes.com
  • CA-only: spf-ca.mtaroutes.com
  • ZA-only: spf-za.mtaroutes.com

Branded SPF record

If you want to use your own domain in your clients' SPF records, use the "include" option:

  1. Create a subdomain for the domain you wish to add to your clients SPF spf.yourdomain.invalid (spf.yourdomain.invalid)
  2. Create a TXT record (DNS record type 16) for spf.yourdomain.invalid (spf.yourdomain.invalid) with the following details:

    v=spf1 include:spf.mtaroutes.com -all

  3. Add the following TXT record to your clients' domain DNS:

    v=spf1 include:spf.yourdomain.invalid -all