Sender Policy Framework / SPF: Difference between revisions
No edit summary |
No edit summary |
||
Line 9: | Line 9: | ||
An easy way to implement this is to add the following to your DNS record: | An easy way to implement this is to add the following to your DNS record: | ||
<pre> | <pre> | ||
TXT "v=spf1 mx -all" | TXT "v=spf1 mx a:edgarbv.com -all" | ||
</pre> | </pre> | ||
Best practice is to also publish it in this form in DNS | Best practice is to also publish it in this form in DNS | ||
<pre> | <pre> | ||
SPF "v=spf1 mx -all" | SPF "v=spf1 mx a:edgarbv.com -all" | ||
</pre> | </pre> | ||
Revision as of 09:19, 20 March 2019
A sender policy framework is a way to sign mail to authenticate the sender domain, a bit like DKIM / ADSP. DNS records are added to the zone file in order to achieve this.
An easy way to implement this is to add the following to your DNS record:
TXT "v=spf1 mx a:edgarbv.com -all"
Best practice is to also publish it in this form in DNS
SPF "v=spf1 mx a:edgarbv.com -all"
(they then have to be identical), but not being able to publish the SPF record is not a problem.
You always put the -all at the end of the record, as that's where the check stops processing and it tells the checker no more conditions will be met. You can replace the -all with ~all which will tell the system it's a soft fail, ie. other IPs are possible, but suspicious.
You do have to make sure that the DNS record has a valid MX record and that the url in the MX also has a valid A record in this case :)
If you are sending mail from another provider (eg integrated with Google apps) then you can include that as such
TXT "v=spf1 mx include:_spf.google.com include:other.provider.ext -all"