Let’s set up an spf record. We already discussed what an SPF record is, and we now have our list of mail servers (at least most of them).
Let’s go through some examples: Here is my spf record:
v=spf1 include:spf.protection.outlook.com -all
Simple enough right? Well, let’s break this down:
v=spf1 – This is saying “The version of spf is spf1. This is needed at the start of your spf record, it indicates to everyone that this particular TXT record is an SPF record.
include: This is the list of servers to include. Not so hard, right? You can put domains in here.
There are other “Mechanisms” you can use as well. “IPV4” “IPV6” “A” “MX” “PTR” “ALL” “INCLUDE”
They are mostly self explanatory, but basically “A” by itself means “All A records”, though you can specify a host by doing A:hostname.com as well. MX means “All MX records” (i.e. all A records means anything that you have an A record for, web site etc… MX would be anything that you receive mail on can also send, include we already discussed, IPV4 let’s you specify blocks of addresses etc.).
All — This one is well, everything. So you want to put it at the end, because when something looks at your SPF record, it goes in order from left to right. So if nothing on the left matches, All will catch everything else.
Last thing to note: You see in my example it says -all (minus all). The minus tells it what to do (they like to call then qualifiers but that’s complicated). Minus means FAIL! (aka hard fail). So basically, if it didn’t match anything on the left FAIL it. Basically I’m saying “If you don’t see mail from anything on the left, I want you to reject the email, get rid of it, it’s worthless.”
There are 3 other “qualifiers” + (Pass) , ~ (Softfail), ? (Neutral)
Pass is, well, pass. You can put these qualifiers on any part (so I could say -a to tell it to fail all A records, but that might be kind of dumb. Easier to just put what you want to send mail on the left, then fail everything else).
Softfail is, “This doesn’t match, but please put it in a spam/quarantine folder, I’m a little unsure of myself and don’t want things to break, so just in case don’t totally get rid of the email.”
Neutral is like “I have no clue.”
Putting it all together now:
I generate a nice long one (this is not a real one I’m using, just an example):
eli5it.com. IN TXT “v=spf1 mx a ip4:220.127.116.11 include:spf.mandrillapp.com include:spf.protection.outlook.com -all”
So again, let’s break this down:
v=spf1 = I’m an SPF record, version 1.
mx = My mx records are ok to send
a = my A records are ok to send
ip4: 18.104.22.168 is good to send for me too
include:spf.mandrillapp.com – Mailchimp is good to send
include:spf.protection.outlook.com – Microsoft 365 is good to send
-all -Nuke (reject) everything else.
Now again, this is all laid out in the RFC, so if I made any sort of mistake here, feel free to point that out, but as always I am not responsible for how you configure your mail system. Always use an SPF SYNTAX CHECKER to validate your record. Also it won’t hurt to use something like mxtoolbox spf check after implimenting to confirm it’s good to go.
Now all that is left is to add it to your DNS server. This will vary by DNS provider, but basically just add your TXT record (your record STARTS with v=spf1).
As mentioned in the previous article, it’s probably best to lower your TTL on your DNS record to the lowest possible in case you screw something up, that way you can fix it quick 🙂
You probably will want to start with neutral and or at least soft fail before going right to hard fail. That way you won’t lose mail if you forget one of your servers…
Lastly, Setting up DMARC reporting can greatly help with getting a picture of what is all sending as your domain, so it might be worthwhile getting that set up as well (We’ll do another article on this sometime).
Until next time.