Sender Policy Framework / SPF: Difference between revisions
No edit summary |
No edit summary |
||
(5 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
[http://www.openspf.org/SPF_Record_Syntax OpenSPF record syntax] | [http://www.openspf.org/SPF_Record_Syntax OpenSPF record syntax] | ||
[https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability digital ocean has some examples] | |||
An easy way to implement this is to add the following to your DNS record: | An easy way to implement this is to add the following to your DNS record: | ||
<pre> | <pre> | ||
TXT "v=spf1 mx -all" | TXT "v=spf1 a mx -all" | ||
</pre> | |||
Best practice is to also publish it in this form in DNS | |||
<pre> | |||
SPF "v=spf1 a mx -all" | |||
</pre> | |||
in order to publish to Google Groups your domain needs something like: | |||
<pre> | |||
SPF "v=spf1 include:_spf.google.com a mx -all" | |||
</pre> | </pre> | ||
You always put the -all at the end of the record, as that's where the check stops processing and it tells the checker no more conditions will be met. | (they then have to be identical), but not being able to publish the SPF record is not a problem. | ||
You always put the -all at the end of the record, as that's where the check stops processing and it tells the checker no more conditions will be met. You can replace the -all with ~all which will tell the system it's a soft fail, ie. other IPs are possible, but suspicious. | |||
You do have to make sure that the DNS record has a valid MX record and that the url in the MX also has a valid A record in this case :) | You do have to make sure that the DNS record has a valid MX record and that the url in the MX also has a valid A record in this case :) | ||
If you are sending mail from another provider (eg integrated with Google apps) then you can include that as such | |||
<pre> | |||
TXT "v=spf1 mx include:_spf.google.com include:other.provider.ext -all" | |||
</pre> | |||
To check your setup for Google look [https://support.google.com/a/answer/33786 here] and [https://toolbox.googleapps.com/apps/checkmx/ mx check tool] |
Latest revision as of 09:26, 20 March 2019
A sender policy framework is a way to sign mail to authenticate the sender domain, a bit like DKIM / ADSP. DNS records are added to the zone file in order to achieve this.
digital ocean has some examples
An easy way to implement this is to add the following to your DNS record:
TXT "v=spf1 a mx -all"
Best practice is to also publish it in this form in DNS
SPF "v=spf1 a mx -all"
in order to publish to Google Groups your domain needs something like:
SPF "v=spf1 include:_spf.google.com a mx -all"
(they then have to be identical), but not being able to publish the SPF record is not a problem.
You always put the -all at the end of the record, as that's where the check stops processing and it tells the checker no more conditions will be met. You can replace the -all with ~all which will tell the system it's a soft fail, ie. other IPs are possible, but suspicious.
You do have to make sure that the DNS record has a valid MX record and that the url in the MX also has a valid A record in this case :)
If you are sending mail from another provider (eg integrated with Google apps) then you can include that as such
TXT "v=spf1 mx include:_spf.google.com include:other.provider.ext -all"
To check your setup for Google look here and mx check tool