SPF Records FAQ

The purpose of this post is to list some common questions we get asked about SPF and to help answer them before a call or email to support is made. While there are hundreds of scenarios, this post should cover the most common. This FAQ cannot cover all situations and will not substitute for research on the part of the end user. All links that were used for information will be included at the bottom.

1. What is SPF and what does it stand for?
SPF stands for Sender Policy Framework. It combats return-path email address spoofing while making it easier to spot forged (spoofed) emails.

2. Why do we need to implement it?
As I am sure most of you are aware, we keep getting servers listed as spam servers due to people either A) not using SMTP Auth (not a problem anymore) B) People forwarding mail from their Newtek hosted accounts to ISP accounts, e.g. AOL, and then marking messages as spam at AOL, or C) Mail being spoofed either due to virus or spammers. SPF helps us complete our Spam package, which consists of SMTP Authentication, SPF verification, and Spam filtering. It helps us work with Black lists and Major ISP's when we do get listed as we can show them we are doing everything short of not allowing mail being sent from our networks.

3. I am using the default settings, do I need to add an SPF record?
You will need to do nothing. When we implement SPF, we will add the default record for you.

4. I have extra domains, do I need to implement SPF on them? Even if they do not send mail?
SPF needs to be implemented on every domain that uses DNS at Newtek. Even if it does not send mail.

5. How will SPF be implemented?
We have written an automated tool that will change the DNS records for all domains using Newtek DNS servers. This script looks to see if you have an MX record and then checks to see if you have an SPF record. If you do not have an SPF record, it will create one for you based on whether you have an MX record or not.

6. What is the Default SPF record and what will it allow me to send mail from?
We have two default SPF strings, one for domains that send mail and one for domains that send no mail at all.
The default SPF string for domains that have and use mail looks like so:

v=spf1 a mx/24 ip4:{0} ?all - replace {0} with the IP address of your web server.

This allows you to send mail from any listed "A" Host record, your MX record and any servers on the same class C ip address range (this should only be used if you control the whole class C IP range as Newtek does), and from your web server. Mail sent from any server not covered will be treated as a soft failure and marked in such as way as to make it known it did not come from your listed servers.

The default "no mail" SPF string looks like so:

v=spf1 -all

This signifies that your domain does not send any mail at all and that any mail received should be treated as invalid.

7. I use my own mail servers for my domains, what should my record be?
Our default record will allow you to send mail from your mail server as long as it is listed as an MX record and/or an "A" record. However, it is suggested that you change the default string from:

v=spf1 a mx/24 ip4:{0} ?all - replace {0} with the IP address of your web server.

with:

v=spf1 a mx ip4:{0} ?all - replace {0} with the IP address of your web server.

This will lock the SPF record down to use only records listed in your Host and MX records. It will not allow any other server in your MX records Class C IP range to send mail on your behalf.

8. I use my ISP's mail servers to send mail from home or when traveling, what should my record be?
Many ISP's are starting to block port 25 and forcing you to send mail using their SMTP servers. You can get around this by using our Alternate SMTP port of 8889 and using the default SPF record or you can use the following string:

v=spf1 a mx/24 ip4:{0} ip4:{1} ?all - replace {0} with the IP address of your web server and replace {1} with the IP address of your ISP's mail server.

You can get the IP address of the ISP mail server by pinging it at a command prompt in Windows. If you do not know how to ping or cannot get the IP address, please contact your ISP and they will provide it for you.

9. I send mail from my ISP's mail server, should I use INCLUDE to add the ISP's servers?
We do not recommend that you use the INCLUDE mechanism. This mechanism will get the SPF record for the domain specified and include it with your SPF record. If the listed domain does not have an SPF record, the check will produce a "FAIL" result for that part of the SPF. It is much safer to use the suggestion in question 8.

10. What ALL implementations do you allow?
The ALL mechanism allows for +, ?, ~, -. The + switch means that all mail will pass and do not check the SPF record. The ? switch means that if it passes, treat it as a normal SPF check, but if it fails, take no action at all. The ~ means soft failure and should result in a spam result. The - means hard failure, do not let the message go forward.

The + switch is not allowed in our network as it does not help combat the SPAM problem. If you attempt a custom SPF that uses this switch your custom SPF string will produce an error.

Links to SPF Information
http://spf.pobox.com/
http://www.msexchange.org/tutorials/Sender-Policy-Framework.html
http://emailuniverse.com/ezine-tips/?Sender-Policy-Framework-(SPF)---Explained&id=1202&cat=resources
http://www.openspf.org/SPF_Record_Syntax

Links to SPF Wizards
http://www.spfwizard.net/
http://www.emailquestions.com/spf-wizard/
http://www.mailradar.com/spf/
http://spfwizard.com/

Links to SPF Testers
http://spf.pobox.com/why.html - Good but does not let you test an SPF string

http://www.dnsstuff.com/tools
http://mxtoolbox.com/spf.aspx

Add Feedback