Set up SPF

SPF (Sender Policy Framework) is used to restrict which mail servers are authorized to send email as an envelope from address for your domain name. This framework (RFC 7208) is designed to detect and block email spoofing by providing a mechanism to allow receiving mail exchangers to verify that incoming mail from a domain comes from an IP Address authorized by that domain's administrators.

The list of authorized sending hosts and IP addresses for a domain is published in the DNS records in the form of an SPF record (a specially formatted TEXT record).

Forwarding emails can sometimes break the SPF. In this case we recommend implementing an SRS component on the sending server (Sender Rewriting Scheme - http://www.open-spf.org/srs/).

Set up SPF for Spam Experts Local Cloud Users

SPF record Values

A TXT record should be created, listing all of the public IP addresses used for SMTP submission traffic. i.e if your cluster only sends outbound traffic using IP 1.2.3.4/32, a record such as this could be used:

spf.yourdomain.invalid = v=spf1 ip4:1.2.3.4/32 -all

Customers can then use the SPF record:

v=spf1 include:spf.yourdomain.invalid -all

We recommend you create a similar DNS hostname as is configured during Outbound Relay Setup, however for SPF we recommend to add all cluster IP's configured to send SMTP traffic to the hostname, as multiple A records so that if IPs are changed/rotated, no changes are needed to be made to senders SPF records.

Do not use your servers native hostnames for SPF records. Create a new sub-domain record for SPF usage.

spf.yourdomain.invalid > A > Primary sending IP of 1st server
spf.yourdomain.invalid > A > Secondary sending IP of 1st server (if configured)
spf.yourdomain.invalid > A > Primary sending IP of 2nd server
spf.yourdomain.invalid > A > Secondary sending IP of 2nd server (if configured)

If your sending domains already use SPF, then you simply need to add a:spf.yourdomain.invalid to their existing TXT record. If they do not have a SPF record, and you wish to configure this, (and restrict all email to the Spam Experts server), then you can create something like this: v=spf1 a:spf.hostname.invalid-all

Branded SPF record

If you want to use your own domain in your clients' SPF records, use the "include" option:

  1. Create a subdomain for the domain you wish to add to your clients SPF spf.yourdomain.invalid (spf.yourdomain.invalid)
  2. Create a TXT record (DNS record type 16) for spf.yourdomain.invalid (spf.yourdomain.invalid) with the following details:
  3. Add the following TXT record to your clients' domain DNS:

    v=spf1 include:spf.yourdomain.invalid -all