Skip to main content

Questions tagged [spf]

Sender Policy Framework is a standard by which the owner of a domain uses a specially formed DNS record to advertise which hosts are authorized to send email for the domain.

Filter by
Sorted by
Tagged with
256 votes
3 answers
436k views

How to include multiple domains in an spf TXT Record

I am looking to setup a TXT spf record that has 2 included domains... individually: v=spf1 include:_spf.google.com ~all and v=spf1 include:otherdomain.com ~all What is the proper way of combining ...
tgriesser's user avatar
  • 2,952
111 votes
6 answers
67k views

Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?

This is a Canonical Question about Fighting Spam. Also related: How to stop people from using my domain to send spam? What are SPF records, and how do I configure them? There are so ...
Chris S's user avatar
  • 78.2k
91 votes
3 answers
112k views

Multiple TXT fields for same subdomain

I would like to understand if multiple TXT records for the same subdomain are ok or could lead to issues. In particular, we have the requirement for one SPF record and one Google Domain Verification ...
chrisvdb's user avatar
  • 1,329
83 votes
6 answers
119k views

Do SPF Records For Primary Domain apply to subdomains?

I have a quick question regarding SPF records: Do they need to be present for all subdomains? Lets say that I have a TXT record with SPF info for domain.com Let's also say that I have a seperate ...
Mike B's user avatar
  • 12.1k
63 votes
4 answers
178k views

How to specify multiple included domains in SPF record?

Our business email is hosted on Google apps. In addition, our web server may also send email. Currently our SPF record in DNS looks like this: domain.com. IN TXT "v=spf1 a include:_spf....
Aleks G's user avatar
  • 1,026
60 votes
2 answers
25k views

What are SPF records, and how do I configure them?

This is a canonical question about setting up SPF records. I have an office with many computers that share a single external ip (I'm unsure if the address is static or dynamic). Each computer ...
vulgarbulgar's user avatar
44 votes
7 answers
3k views

Is it becoming impossible to be a small mail provider?

I operate a small mail server for my private emails, some friends who have websites and two NGOs. In total my server sends between 60 and 400 messages a day. Now a lot of these emails are personal ...
Stefan Seidel's user avatar
40 votes
6 answers
6k views

Are SPF records legacy?

I am responsible for a domain which has an SPF record as recommended by various other services that send mail on this domain's behalf. When setting up Mailchimp, I was surprised to find no ...
RomanSt's user avatar
  • 1,217
38 votes
4 answers
29k views

Is using SOFTFAIL over FAIL in the SPF record considered best practice?

Or put another way, is using v=spf1 a mx ~all recommended over using v=spf1 a mx -all? The RFC does not appear to make any recommendations. My preference has always been to use FAIL, which causes ...
Michael Kropat's user avatar
35 votes
3 answers
39k views

Remove "via" from emails sent to Gmail from Amazon SES

When sending emails from Amazon SES, gmail shows "sent via amazonses.com". How do I remove this? According to Google, I'm a sender and I don't want my recipients to see the "via" link. What can I ...
csi's user avatar
  • 1,605
29 votes
2 answers
28k views

Is the 10-DNS-lookup limit in the SPF spec typically enforced?

My understanding is that the SPF spec specifies an email receiver shouldn't have to do more than 10 DNS lookups in order to gather all the allowed IPs for a sender. So if an SPF record has include:foo....
John Bachir's user avatar
  • 2,374
28 votes
4 answers
15k views

Best Practices for preventing you from looking like a spammer [duplicate]

I'd like to feel more confident setting up mail for my clients with regards to false positives. Here's what I know: SPF records are good, but not every spam filter service/software (SFSS) uses them. ...
gravyface's user avatar
  • 14k
26 votes
3 answers
20k views

SPF vs. DKIM - The exact use cases and differences

I'm sorry for the vague title. I don't fully understand why SPF and DKIM should be used together. First: SPF can pass where it should fail if the sender or DNS is "spoofed" and it can fail where it ...
deleted user 42's user avatar
26 votes
1 answer
38k views

Multiple SPF records for multiple domains

We have recently started using Office 365 for our email, which requires us to add a DNS TXT record with the value v=spf1 include:spf.protection.outlook.com -all. We already have an SPF record with the ...
Swisher Sweet's user avatar
25 votes
5 answers
8k views

Does DKIM alone not solve the spam issue? Why do I need SPF?

FINAL EDIT : I was completely wrong about DKIM it seems, the signing domain does not have to be the same as the sender domain, thus the whole premise for my question is flawed. A lot of thanks to Paul ...
cornergraf's user avatar
23 votes
3 answers
12k views

Is there a way to align SPF for Google Apps alias domain?

I use Google Apps for Work. Let's say I have: primarydomain.com And another alias domain: aliasdomain.com As long as I send emails from primary domain both SPF and DKIM result perfectly aligned. ...
Bubba Yakoza's user avatar
21 votes
3 answers
24k views

Will adding a second SPF record mess up my DNS?

Will adding a second SPF record mess up my DNS, or will it be like adding an extra nameserver? (i.e. it only helps, not hurts)
Abraham Vegh's user avatar
  • 1,045
19 votes
1 answer
29k views

Can SPF records contain domain name wildcards?

Part of my SPF record contains: include:google.com I'm still getting soft fail because the actual e-mail is delivered by the following Received: from mail-yx0-f172.google.com (mail-yx0-f172.google....
deltanovember's user avatar
19 votes
3 answers
21k views

SPF include vs redirect

What is the difference?
700 Software's user avatar
  • 2,283
19 votes
2 answers
30k views

Is it OK to have multiple TXT records for a single domain containing different SPF entries?

A remote recipient domain is rejecting mail on the grounds of SPF and I think it's because the sender has SPF configured incorrectly. When I run dig, I see: [fooadm@box ~]# dig @8.8.8.8 -t TXT ...
Mike B's user avatar
  • 12.1k
19 votes
2 answers
12k views

SPF Record with or without plus

Is there any difference between v=spf1 +a +mx -all and v=spf1 a mx -all I am unsure if they do the same thing or somthing different. Clarification would be great. Thank you
dgibbs's user avatar
  • 661
18 votes
3 answers
29k views

Do changes in SPF records take time to propagate?

I'm setting up SPF records for my domain, and am not getting the results that I expect. It's quite possible I'm making some sort of mistake, but first I'd like to ask: does it take time for the ...
Daniel Griscom's user avatar
18 votes
1 answer
9k views

How can I have an SPF record longer than 255 characters?

So, I have been under the impression that individual SPF entries had to fit in 255 chars, or use the include operator to link together multiple entries forming a chain. However, RFC 4408 3.1.3. ...
gnkdl_gansklgna's user avatar
17 votes
2 answers
3k views

DNS MX/SPF/DMARC records without actuall emails on domain

I created website for someone, but also someone (I guess some SEO guy) told this person that I made big mistake because there are missing DNS records on domain (mx, SPF, dmarc). Now I need to "...
norr's user avatar
  • 273
17 votes
2 answers
19k views

SPF fail vs. soft-fail pros and cons

Question What are the advantages and disadvantages of using Fail vs. a SoftFail in my SPF record? What I found on the topic Back in 2007, knowledgeable-seeming folks seem to have said SoftFail was ...
sondra.kinsey's user avatar
17 votes
3 answers
8k views

SPF/DKIM/DMARC for Gmail "Send mail as" via smtp.gmail.com on external domain

Since "Google Apps" / "Google Apps for business" / "G-Suite" / "Google Workspaces" free tier is being discontinued, I need a solution to migrate my ~30 extended ...
Ozzah's user avatar
  • 279
16 votes
4 answers
9k views

Workarounds for maximum DNS-Interactive terms limit exceeded in SPF record?

As a hosting provider, we send email on behalf of our clients, so we help them set up DKIM and SPF email records in their DNS to get email deliverability just right. We've been advising them to use ...
Jeff Atwood's user avatar
  • 13.2k
16 votes
1 answer
23k views

PermError SPF Permanent Error: Void lookup limit of 2 exceeded

I am trying to setup SPF on a server - mail works fine and validates according to mxtoolbox and other online checks but when I check it using http://www.kitterman.com/spf/validate.html I get an error: ...
bhttoan's user avatar
  • 650
15 votes
2 answers
19k views

What does dis=NONE mean in an email's Authentication-Results header?

The following is from an email I received recently: Authentication-Results: mx.google.com; spf=neutral; dkim=pass [email protected]; dmarc=pass (p=REJECT dis=NONE) header.from=...
Alex Henrie's user avatar
15 votes
3 answers
7k views

DMARC Alignment: Enforce messages pass BOTH SPF and DKIM

Is there a way to enforce DMARC to fail/reject mail that doesn't pass BOTH DKIM and SPF? We have been narrowing the number that are failing, but there are some domains in our aggregate (rua) report ...
Noah Hall-Potvin's user avatar
15 votes
1 answer
7k views

Change Envelope From to match From header in Postfix

I am using Postfix as a gateway for my domain and need it to change or rewrite the Envelope From address to match the From header. For example, the From: header is "[email protected]" and the Envelope ...
lid's user avatar
  • 285
14 votes
2 answers
57k views

What does this mean: v=spf1 include:_spf.google.com ~all?

In addition to my previous question, what does this DNS entry mean: v=spf1 include:_spf.google.com ~all ?
poseid's user avatar
  • 569
14 votes
1 answer
43k views

How to resolve problems with spf / softfail?

I'm having problems with Google rejecting mail because of SPF problems. I thought I had this fixed, but evidently not... The mail is being sent from a Drupal site running mimemail. A message that ...
Jim Miller's user avatar
14 votes
1 answer
14k views

What is the difference between -all and ~all in a DNS SPF record? [duplicate]

I've found that our current DNS SPF record uses the ~all keyword, but in most examples I've seen -all used. What's the difference between the two?
STW's user avatar
  • 1,049
13 votes
7 answers
20k views

Are SPF needed for domains that do not send mails and do not have MX record?

I have some domains registered that do not send mails. I have totally removed MX record for these domains on my DNS. Is it still useful to set an SPF record in order to avoid spammer to send mails ...
Marco Demaio's user avatar
13 votes
4 answers
11k views

set Google Apps SPF record in Amazon AWS Route 53

I'm using the new AWS GUI for Route 53 to setup my domain records. However, the AWS console won't accept the recommended Google Apps SPF record, v=spf1 include:_spf.google.com ~all (found here). It ...
user101289's user avatar
13 votes
3 answers
8k views

How to setup a SPF record to help fight SPAM

My little developer mind never really managed to understand how to do it, so maybe you can help me. I'm using Google Apps for Domains and MyDomain as DNS external service. Edit: Tough crowd, in ...
Eduardo Molteni's user avatar
13 votes
2 answers
2k views

How is this email subverting SPF checks?

I run a mail server which appears to correctly handle emails with SPF set - however I've started receiving fake emails purporting to be from a bank - with the From address set as the bank - but which ...
davidgo's user avatar
  • 6,322
13 votes
2 answers
16k views

How does DKIM work when sending emails from multiple sources/servers?

So if I'm understanding DKIM correctly, it basically is a public/private key type of service. However, how does this work if you send emails from multiple servers/sources? For instance, I have a ...
Marc NJ's user avatar
  • 141
12 votes
1 answer
7k views

Why don't my domain's messages to a google group get their headers rewritten so DMARC can pass?

Whenever my domain sends a message to a google group on another domain the DMARC alignment fails. This is true for all my approved senders, even using Gmail in my domain. It seems to be because the ...
lordbyron's user avatar
  • 371
12 votes
4 answers
8k views

Why is my opendmarc failing pretty much everything that comes through?

I have this domain for which I set up SPF, DKIM, and DMARC stuff. Let's pretend the domain is example.com which has the following entries in its DNS zone: example.com. 600 IN MX ...
Morpheu5's user avatar
  • 279
12 votes
2 answers
6k views

Office365 SPF record has too many lookups

For some utterly ridiculous administrative reasons we've got a split domain with one mailbox on Office365 which requires us to add include:outlook.com to our SPF record. The problem with this is that ...
Sammitch's user avatar
  • 2,161
11 votes
4 answers
21k views

SPF record -- why do we use `+a` alongside `+mx`?

Why do administrators mostly use +a alongside +mx in SPF records? This is the example: @ 10800 IN TXT "v=spf1 +a +mx -all" Isn't it enough to only use +mx parameter e.g.: @ ...
71GA's user avatar
  • 403
11 votes
3 answers
9k views

What's the proper format for an SPF record?

Querying my domain I get: The TXT records found for your domain are: v=spf1 ip4:50.22.72.198 a mx:wordswithfriends.net ~all So superficially it appears OK. However I also get the following message ...
deltanovember's user avatar
11 votes
4 answers
7k views

record DKIM on IONOS makes sense?

If I am sending mail through SMTP, I understand that it is IONOS who signs those emails, right? I would like to add the DKIM header to my emails. I know that it is necessary to publish a CNAME record ...
Diego's user avatar
  • 113
11 votes
2 answers
47k views

How do I prevent the SPF_HELO_NONE warning when sending from Postfix?

When using a tool like https://dkimvalidator.com/ to verify configuration of DKIM, SPF, DMARC, etc. for sending mail from a web server, I get a warning like this: 0.0 SPF_HELO_NONE SPF: HELO does not ...
Walf's user avatar
  • 438
11 votes
3 answers
5k views

Failed SPF for email imported to Gmail because of client IP instead of server's in message when sent through SMTP from one local box to another

We have a linux (Debian) VPS with domain (let's say example.com with MX mail.example.com) that has SPF set up. There is dovecot+exim running. There is also Direct Admin on top of that. When I send a ...
Zbyszek's user avatar
  • 175
11 votes
1 answer
36k views

SPF softfail domain does not designate IP as permitted sender

I use both mailgun and a namecheap mail server (where I also have my domain) and when I receive mails in my gmail account, mailgun is recognized as a permitted sender, but that's not the case of ...
muilpp's user avatar
  • 349
11 votes
2 answers
22k views

DMARC failed, but SPF pass

If i sent a mail from my website (on a private server) to [email protected], i have this report : <record> <row> <source_ip>x.x.x.x</source_ip> <count>1&...
griotteau's user avatar
  • 271
11 votes
4 answers
9k views

Gmail SPF fail based on client IP

Gmail is failing SPF check based on the client IP. These are the relevant headers: Received-SPF: fail (google.com: domain of [email protected] does not designate 164.77.240.58 as permitted sender) ...
Max Toro's user avatar
  • 211

1
2 3 4 5
18