Questions tagged [spf]
Sender Policy Framework is a standard by which the owner of a domain uses a specially formed DNS record to advertise which hosts are authorized to send email for the domain.
898
questions
256
votes
3
answers
436k
views
How to include multiple domains in an spf TXT Record
I am looking to setup a TXT spf record that has 2 included domains... individually:
v=spf1 include:_spf.google.com ~all
and
v=spf1 include:otherdomain.com ~all
What is the proper way of combining ...
111
votes
6
answers
67k
views
Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?
This is a Canonical Question about Fighting Spam.
Also related:
How to stop people from using my domain to send spam?
What are SPF records, and how do I configure them?
There are so ...
91
votes
3
answers
112k
views
Multiple TXT fields for same subdomain
I would like to understand if multiple TXT records for the same subdomain are ok or could lead to issues. In particular, we have the requirement for one SPF record and one Google Domain Verification ...
83
votes
6
answers
119k
views
Do SPF Records For Primary Domain apply to subdomains?
I have a quick question regarding SPF records: Do they need to be present for all subdomains?
Lets say that I have a TXT record with SPF info for domain.com
Let's also say that I have a seperate ...
63
votes
4
answers
178k
views
How to specify multiple included domains in SPF record?
Our business email is hosted on Google apps. In addition, our web server may also send email. Currently our SPF record in DNS looks like this:
domain.com. IN TXT "v=spf1 a include:_spf....
60
votes
2
answers
25k
views
What are SPF records, and how do I configure them?
This is a canonical question about setting up SPF records.
I have an office with many computers that share a single external ip (I'm unsure if the address is static or dynamic). Each computer ...
44
votes
7
answers
3k
views
Is it becoming impossible to be a small mail provider?
I operate a small mail server for my private emails, some friends who have websites and two NGOs. In total my server sends between 60 and 400 messages a day. Now a lot of these emails are personal ...
40
votes
6
answers
6k
views
Are SPF records legacy?
I am responsible for a domain which has an SPF record as recommended by various other services that send mail on this domain's behalf.
When setting up Mailchimp, I was surprised to find no ...
38
votes
4
answers
29k
views
Is using SOFTFAIL over FAIL in the SPF record considered best practice?
Or put another way, is using v=spf1 a mx ~all recommended over using v=spf1 a mx -all? The RFC does not appear to make any recommendations. My preference has always been to use FAIL, which causes ...
35
votes
3
answers
39k
views
Remove "via" from emails sent to Gmail from Amazon SES
When sending emails from Amazon SES, gmail shows "sent via amazonses.com". How do I remove this?
According to Google,
I'm a sender and I don't want my recipients to see the "via" link. What can I ...
29
votes
2
answers
28k
views
Is the 10-DNS-lookup limit in the SPF spec typically enforced?
My understanding is that the SPF spec specifies an email receiver shouldn't have to do more than 10 DNS lookups in order to gather all the allowed IPs for a sender. So if an SPF record has include:foo....
28
votes
4
answers
15k
views
Best Practices for preventing you from looking like a spammer [duplicate]
I'd like to feel more confident setting up mail for my clients with regards to false positives. Here's what I know:
SPF records are good, but not every spam filter service/software (SFSS) uses them.
...
26
votes
3
answers
20k
views
SPF vs. DKIM - The exact use cases and differences
I'm sorry for the vague title. I don't fully understand why SPF and DKIM should be used together.
First: SPF can pass where it should fail if the sender or DNS is "spoofed" and it can fail where it ...
26
votes
1
answer
38k
views
Multiple SPF records for multiple domains
We have recently started using Office 365 for our email, which requires us to add a DNS TXT record with the value v=spf1 include:spf.protection.outlook.com -all. We already have an SPF record with the ...
25
votes
5
answers
8k
views
Does DKIM alone not solve the spam issue? Why do I need SPF?
FINAL EDIT : I was completely wrong about DKIM it seems, the signing domain does not have to be the same as the sender domain, thus the whole premise for my question is flawed. A lot of thanks to Paul ...
23
votes
3
answers
12k
views
Is there a way to align SPF for Google Apps alias domain?
I use Google Apps for Work. Let's say I have:
primarydomain.com
And another alias domain:
aliasdomain.com
As long as I send emails from primary domain both SPF and DKIM result perfectly aligned.
...
21
votes
3
answers
24k
views
Will adding a second SPF record mess up my DNS?
Will adding a second SPF record mess up my DNS, or will it be like adding an extra nameserver?
(i.e. it only helps, not hurts)
19
votes
1
answer
29k
views
Can SPF records contain domain name wildcards?
Part of my SPF record contains:
include:google.com
I'm still getting soft fail because the actual e-mail is delivered by the following
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google....
19
votes
3
answers
21k
views
SPF include vs redirect
What is the difference?
19
votes
2
answers
30k
views
Is it OK to have multiple TXT records for a single domain containing different SPF entries?
A remote recipient domain is rejecting mail on the grounds of SPF and I think it's because the sender has SPF configured incorrectly.
When I run dig, I see:
[fooadm@box ~]# dig @8.8.8.8 -t TXT ...
19
votes
2
answers
12k
views
SPF Record with or without plus
Is there any difference between
v=spf1 +a +mx -all
and
v=spf1 a mx -all
I am unsure if they do the same thing or somthing different. Clarification would be great. Thank you
18
votes
3
answers
29k
views
Do changes in SPF records take time to propagate?
I'm setting up SPF records for my domain, and am not getting the results that I expect. It's quite possible I'm making some sort of mistake, but first I'd like to ask: does it take time for the ...
18
votes
1
answer
9k
views
How can I have an SPF record longer than 255 characters?
So, I have been under the impression that individual SPF entries had to fit in 255 chars, or use the include operator to link together multiple entries forming a chain. However, RFC 4408 3.1.3. ...
17
votes
2
answers
3k
views
DNS MX/SPF/DMARC records without actuall emails on domain
I created website for someone, but also someone (I guess some SEO guy) told this person that I made big mistake because there are missing DNS records on domain (mx, SPF, dmarc). Now I need to "...
17
votes
2
answers
19k
views
SPF fail vs. soft-fail pros and cons
Question
What are the advantages and disadvantages of using Fail vs. a SoftFail in my SPF record?
What I found on the topic
Back in 2007, knowledgeable-seeming folks seem to have said SoftFail was ...
17
votes
3
answers
8k
views
SPF/DKIM/DMARC for Gmail "Send mail as" via smtp.gmail.com on external domain
Since "Google Apps" / "Google Apps for business" / "G-Suite" / "Google Workspaces" free tier is being discontinued, I need a solution to migrate my ~30 extended ...
16
votes
4
answers
9k
views
Workarounds for maximum DNS-Interactive terms limit exceeded in SPF record?
As a hosting provider, we send email on behalf of our clients, so we help them set up DKIM and SPF email records in their DNS to get email deliverability just right. We've been advising them to use ...
16
votes
1
answer
23k
views
PermError SPF Permanent Error: Void lookup limit of 2 exceeded
I am trying to setup SPF on a server - mail works fine and validates according to mxtoolbox and other online checks but when I check it using http://www.kitterman.com/spf/validate.html I get an error:
...
15
votes
2
answers
19k
views
What does dis=NONE mean in an email's Authentication-Results header?
The following is from an email I received recently:
Authentication-Results: mx.google.com;
spf=neutral;
dkim=pass [email protected];
dmarc=pass (p=REJECT dis=NONE) header.from=...
15
votes
3
answers
7k
views
DMARC Alignment: Enforce messages pass BOTH SPF and DKIM
Is there a way to enforce DMARC to fail/reject mail that doesn't pass BOTH DKIM and SPF?
We have been narrowing the number that are failing, but there are some domains in our aggregate (rua) report ...
15
votes
1
answer
7k
views
Change Envelope From to match From header in Postfix
I am using Postfix as a gateway for my domain and need it to change or rewrite the Envelope From address to match the From header. For example, the From: header is "[email protected]" and the Envelope ...
14
votes
2
answers
57k
views
What does this mean: v=spf1 include:_spf.google.com ~all?
In addition to my previous question, what does this DNS entry mean:
v=spf1 include:_spf.google.com ~all ?
14
votes
1
answer
43k
views
How to resolve problems with spf / softfail?
I'm having problems with Google rejecting mail because of SPF problems. I thought I had this fixed, but evidently not...
The mail is being sent from a Drupal site running mimemail. A message that ...
14
votes
1
answer
14k
views
What is the difference between -all and ~all in a DNS SPF record? [duplicate]
I've found that our current DNS SPF record uses the ~all keyword, but in most examples I've seen -all used.
What's the difference between the two?
13
votes
7
answers
20k
views
Are SPF needed for domains that do not send mails and do not have MX record?
I have some domains registered that do not send mails.
I have totally removed MX record for these domains on my DNS.
Is it still useful to set an SPF record in order to avoid spammer to send mails ...
13
votes
4
answers
11k
views
set Google Apps SPF record in Amazon AWS Route 53
I'm using the new AWS GUI for Route 53 to setup my domain records. However, the AWS console won't accept the recommended Google Apps SPF record, v=spf1 include:_spf.google.com ~all (found here).
It ...
13
votes
3
answers
8k
views
How to setup a SPF record to help fight SPAM
My little developer mind never really managed to understand how to do it, so maybe you can help me.
I'm using Google Apps for Domains and MyDomain as DNS external service.
Edit: Tough crowd, in ...
13
votes
2
answers
2k
views
How is this email subverting SPF checks?
I run a mail server which appears to correctly handle emails with SPF set - however I've started receiving fake emails purporting to be from a bank - with the From address set as the bank - but which ...
13
votes
2
answers
16k
views
How does DKIM work when sending emails from multiple sources/servers?
So if I'm understanding DKIM correctly, it basically is a public/private key type of service. However, how does this work if you send emails from multiple servers/sources? For instance, I have a ...
12
votes
1
answer
7k
views
Why don't my domain's messages to a google group get their headers rewritten so DMARC can pass?
Whenever my domain sends a message to a google group on another domain the DMARC alignment fails. This is true for all my approved senders, even using Gmail in my domain. It seems to be because the ...
12
votes
4
answers
8k
views
Why is my opendmarc failing pretty much everything that comes through?
I have this domain for which I set up SPF, DKIM, and DMARC stuff. Let's pretend the domain is example.com which has the following entries in its DNS zone:
example.com. 600 IN MX ...
12
votes
2
answers
6k
views
Office365 SPF record has too many lookups
For some utterly ridiculous administrative reasons we've got a split domain with one mailbox on Office365 which requires us to add include:outlook.com to our SPF record. The problem with this is that ...
11
votes
4
answers
21k
views
SPF record -- why do we use `+a` alongside `+mx`?
Why do administrators mostly use +a alongside +mx in SPF records?
This is the example:
@ 10800 IN TXT "v=spf1 +a +mx -all"
Isn't it enough to only use +mx parameter e.g.:
@ ...
11
votes
3
answers
9k
views
What's the proper format for an SPF record?
Querying my domain I get:
The TXT records found for your domain are:
v=spf1 ip4:50.22.72.198 a mx:wordswithfriends.net ~all
So superficially it appears OK. However I also get the following message
...
11
votes
4
answers
7k
views
record DKIM on IONOS makes sense?
If I am sending mail through SMTP, I understand that it is IONOS who signs those emails, right?
I would like to add the DKIM header to my emails. I know that it is necessary to publish a CNAME record ...
11
votes
2
answers
47k
views
How do I prevent the SPF_HELO_NONE warning when sending from Postfix?
When using a tool like https://dkimvalidator.com/ to verify configuration of DKIM, SPF, DMARC, etc. for sending mail from a web server, I get a warning like this:
0.0 SPF_HELO_NONE SPF: HELO does not ...
11
votes
3
answers
5k
views
Failed SPF for email imported to Gmail because of client IP instead of server's in message when sent through SMTP from one local box to another
We have a linux (Debian) VPS with domain (let's say example.com with MX mail.example.com) that has SPF set up. There is dovecot+exim running. There is also Direct Admin on top of that.
When I send a ...
11
votes
1
answer
36k
views
SPF softfail domain does not designate IP as permitted sender
I use both mailgun and a namecheap mail server (where I also have my domain) and when I receive mails in my gmail account, mailgun is recognized as a permitted sender, but that's not the case of ...
11
votes
2
answers
22k
views
DMARC failed, but SPF pass
If i sent a mail from my website (on a private server) to [email protected], i have this report :
<record>
<row>
<source_ip>x.x.x.x</source_ip>
<count>1&...
11
votes
4
answers
9k
views
Gmail SPF fail based on client IP
Gmail is failing SPF check based on the client IP. These are the relevant headers:
Received-SPF: fail (google.com: domain of [email protected] does not designate 164.77.240.58 as permitted sender) ...