Set up SPF
SPF (Sender Policy Framework) is used to restrict which mail servers are authorized to send email as an envelope from address for your domain name. This framework (RFC 7208) is designed to detect and block email spoofing by providing a mechanism to allow receiving mail exchangers to verify that incoming mail from a domain comes from an IP Address authorized by that domain's administrators.
The list of authorized sending hosts and IP addresses for a domain is published in the DNS records in the form of an SPF record (a specially formatted TEXT record).
Forwarding emails can sometimes break the SPF. In this case we recommend implementing an SRS component on the sending server (Sender Rewriting Scheme - http://www.open-spf.org/srs/).
Set up SPF for SpamExperts Hosted Cloud Users
Existing SPF record
If you have an existing SPF record, ensure the following is added between v=spf1
and -all
:
include:spf.antispamcloud.com
New SPF record
If you do not have an SPF record, or you are only using SpamExperts to send outbound messages, you need to create a TXT record (DNS record type 16) with the following data:
v=spf1 include:spf.antispamcloud.com -all
The SPF record must contain each of these sections:
v=spf1
- this is the version of the SPF recordinclude:spf.antismapcloud.com
- this allows use of the SpamExperts server SPF record-all
- this means to exclude everything else (cause a hard fail)
Example including your own IP address and domain:
v=spf1 ip4:1.2.3.4/32 include:spf.antispamcloud.com A:yourdomain.invalid -all
Replace the ip4 entry of 1.2.3.4/32
with your mail server IPv4 address and yourdomain.invalid
with your domain.
Once the SPF record has been written, publish the TXT record to the authoritative DNS server for your domain. Instructions on how this can be done will differ from each domain provider. For assistance, please contact your domain provider.
Depending on your current SPF records Time to Live (TTL), this may take up to 24 hours or more to propagate.
If you have multiple sending addresses, the following external links may be used for additional formatting and guidance:
- Open SPF - http://www.open-spf.org/
- SPF wizard - https://www.spfwizard.net/
If you are using other sources for outgoing filtering, you need to make sure you modify the SPF record appropriately. The above is only suitable if all outgoing filtering is handled by SpamExperts.
Regional specific SPF records
These regional specific records are only to be used if you require a reduction to the scope of allowed IPs to a smaller geographic region.
We do not recommend using these regional records unless absolutely necessary.
If using regional SPF records, you must only add the region that was selected when adding the domain. Please contact our support team by raising a support ticket through N-AbleMe to change the region of your domain if required.
- EU-only:
spf-eu.antispamcloud.com
- US-only:
spf-us.antispamcloud.com
- UK-only:
spf-uk.antispamcloud.com
- AU-only:
spf-au.antispamcloud.com
- CA-only:
spf-ca.antispamcloud.com
- ZA-only:
spf-za.antispamcloud.com
Set up SPF for SpamExperts Local Cloud Users
SPF record Values
A TXT record should be created, listing all of the public IP addresses used for SMTP submission traffic. i.e if your cluster only sends outbound traffic using IP 1.2.3.4/32
, a record such as this could be used:
spf.yourdomain.invalid = v=spf1 ip4:1.2.3.4/32 -all
Customers can then use the SPF record:
v=spf1 include:spf.yourdomain.invalid -all
We recommend you create a similar DNS hostname as is configured during Outbound Relay Setup, however for SPF we recommend to add all cluster IP's configured to send SMTP traffic to the hostname, as multiple A records so that if IPs are changed/rotated, no changes are needed to be made to senders SPF records.
Do not use your servers native hostnames for SPF records. Create a new sub-domain record for SPF usage.
spf.yourdomain.invalid > A > Primary sending IP of 1st server
spf.yourdomain.invalid > A > Secondary sending IP of 1st server (if configured)
spf.yourdomain.invalid > A > Primary sending IP of 2nd server
spf.yourdomain.invalid > A > Secondary sending IP of 2nd server (if configured)
If your sending domains already use SPF, then you need to add a:spf.yourdomain.invalid
to their existing TXT record. If they do not have a SPF record, and you wish to configure this, (and restrict all email to the SpamExperts server), then you can create something like this: v=spf1 a:spf.hostname.invalid-all
Branded SPF record
If you want to use your own domain in your clients' SPF records, use the "include" option:
- Create a subdomain for the domain you wish to add to your clients SPF
spf.yourdomain.invalid (spf.yourdomain.invalid)
- Create a TXT record (DNS record type 16) for
spf.yourdomain.invalid (spf.yourdomain.invalid)
with the following details:v=spf1 include:spf.antispamcloud.com -all
- Add the following TXT record to your clients' domain DNS:
v=spf1 include:spf.yourdomain.invalid -all