Set up SPF

SPF (Sender Policy Framework) is used to restrict which mail servers are authorized to send email as an envelope from address for your domain name. This framework (RFC 7208) is designed to detect and block email spoofing by providing a mechanism to allow receiving mail exchangers to verify that incoming mail from a domain comes from an IP Address authorized by that domain's administrators.

The list of authorized sending hosts and IP addresses for a domain is published in the DNS records in the form of an SPF record (a specially formatted TEXT record).

Forwarding emails can sometimes break the SPF. In this case we recommend implementing an SRS component on the sending server (Sender Rewriting Scheme - http://www.open-spf.org/srs/).

Set up SPF for SpamExperts Hosted Cloud Users

Existing SPF record

If you have an existing SPF record, ensure the following is added between v=spf1 and -all:

include:spf.antispamcloud.com

New SPF record

If you do not have an SPF record, or you are only using SpamExperts to send outbound messages, you need to create a TXT record (DNS record type 16) with the following data:

v=spf1 include:spf.antispamcloud.com -all

The SPF record must contain each of these sections:

  • v=spf1 - this is the version of the SPF record
  • include:spf.antismapcloud.com - this allows use of the SpamExperts server SPF record
  • -all - this means to exclude everything else (cause a hard fail)

Example including your own IP address and domain:

v=spf1 ip4:1.2.3.4/32 include:spf.antispamcloud.com A:yourdomain.invalid -all

Replace the ip4 entry of 1.2.3.4/32 with your mail server IPv4 address and yourdomain.invalid with your domain.

Once the SPF record has been written, publish the TXT record to the authoritative DNS server for your domain. Instructions on how this can be done will differ from each domain provider. For assistance, please contact your domain provider.

Depending on your current SPF records Time to Live (TTL), this may take up to 24 hours or more to propagate.

If you have multiple sending addresses, the following external links may be used for additional formatting and guidance:

If you are using other sources for outgoing filtering, you need to make sure you modify the SPF record appropriately. The above is only suitable if all outgoing filtering is handled by SpamExperts.

Regional specific SPF records

These regional specific records are only to be used if you require a reduction to the scope of allowed IPs to a smaller geographic region.

We do not recommend using these regional records unless absolutely necessary.

If using regional SPF records, you must only add the region that was selected when adding the domain. Please contact support to change the region of your domain if required.

  • EU-only: spf-eu.antispamcloud.com
  • US-only: spf-us.antispamcloud.com
  • UK-only: spf-uk.antispamcloud.com
  • AU-only: spf-au.antispamcloud.com
  • CA-only: spf-ca.antispamcloud.com
  • ZA-only: spf-za.antispamcloud.com

Set up SPF for SpamExperts Local Cloud Users

SPF record Values

A TXT record should be created, listing all of the public IP addresses used for SMTP submission traffic. i.e if your cluster only sends outbound traffic using IP 1.2.3.4/32, a record such as this could be used:

spf.yourdomain.invalid = v=spf1 ip4:1.2.3.4/32 -all

Customers can then use the SPF record:

v=spf1 include:spf.yourdomain.invalid -all

We recommend you create a similar DNS hostname as is configured during Outbound Relay Setup, however for SPF we recommend to add all cluster IP's configured to send SMTP traffic to the hostname, as multiple A records so that if IPs are changed/rotated, no changes are needed to be made to senders SPF records.

Do not use your servers native hostnames for SPF records. Create a new sub-domain record for SPF usage.

spf.yourdomain.invalid > A > Primary sending IP of 1st server
spf.yourdomain.invalid > A > Secondary sending IP of 1st server (if configured)
spf.yourdomain.invalid > A > Primary sending IP of 2nd server
spf.yourdomain.invalid > A > Secondary sending IP of 2nd server (if configured)

If your sending domains already use SPF, then you need to add a:spf.yourdomain.invalid to their existing TXT record. If they do not have a SPF record, and you wish to configure this, (and restrict all email to the SpamExperts server), then you can create something like this: v=spf1 a:spf.hostname.invalid-all

Branded SPF record

If you want to use your own domain in your clients' SPF records, use the "include" option:

  1. Create a subdomain for the domain you wish to add to your clients SPF spf.yourdomain.invalid (spf.yourdomain.invalid)
  2. Create a TXT record (DNS record type 16) for spf.yourdomain.invalid (spf.yourdomain.invalid) with the following details:

    v=spf1 include:spf.antispamcloud.com -all

  3. Add the following TXT record to your clients' domain DNS:

    v=spf1 include:spf.yourdomain.invalid -all