SPF records
SPF (Sender Policy Framework) records are DNS records that help to validate email senders. They are supposed
to cut down spam by identifying spoofed From and Reply-To headers. With SPF, when you receive a mail from someone@example.com
, you can
check whether the sender's mail server is allowed to send mail for the example.com
domain or not. This SPF check is completely
optional on the receiver mail server. Some large mail providers (GMail) have implemented SPF and would (sometimes) reject the message when SPF is
not configured for the domain. For example, Google can reject mail with the reply:
Recipient address rejected: Spf check: fail
I run my own mail server on a VPS and got hit with this problem. Adding an SPF record is not hard. The hard part is figuring out the right configuration. The syntax is described here. I have chosen the following configuration:
v=spf1 a -all
This means:
a
- everything in A or AAAA records (these are IP addresses) can send mail.-all
- everything else can't send mail.
I have added it as a TXT record because my zone provider (Linode) does not support adding SPF records directly. Using a TXT record works. You can
check out my record on infdot.com by using the dig
utility (Linux and OSX):
$ dig infdot.com txt
; <<>> DiG 9.9.3-P2 <<>> infdot.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22621
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;infdot.com. IN TXT
;; ANSWER SECTION:
infdot.com. 21596 IN TXT "v=spf1 a -all"
;; Query time: 53 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Feb 28 10:02:49 EET 2014
;; MSG SIZE rcvd: 65
This configuration works for me because all my outgoing mail comes from a single machine. This configuration will NOT work for mail redirection (unless the actual sending machine is listed in the A records). This does NOT work when you send mail from your personal machine using a desktop mail client like Thunderbird or KMail (same condition). For redirecting and desktop clients you need an SRS (Sender Rewriting Scheme) support on your mail server.
You can test your mail server/provider by sending a mail to spf-test@openspf.net
(described here). Currently it seems to be down.