Skip to content

SPF Record in DNS

  • DNS

Almost all free mail providers like Gmail and Yahoo Mail will filter out spam or spoofed emails by validating the source (SMTP server), if your mail server have not been validated, the delivered mails may be blocked or directly go to receivers' Trash folder. Let's see an example of original message from a doubtful source:

...
Received-SPF: none (google.com: [email protected] does not designate permitted sender hosts) client-ip=10.23.58.124;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: [email protected] does not designate permitted sender hosts) [email protected]
...

Sender Policy Framework (SPF)

The root cause could be the missing SPF setting in DNS records. If you are a domain administrator, you can add a TXT record containing SPF string to your authoritative name servers.

example.com. IN TXT "v=spf1 ip4:10.23.58.124 a -all"

Don't forget to enclose SPF string by double quotes. Now, you have to wait for the record broadcast over the internet.

In SPF string, you can list all the IP addresses that shall be permitted to send mail from this domain to the internet. By this formal and official way, you announced the listed IP addresses can be trusted by the mail providers.

Now, we have a picture of the scheme:

  1. The free mail provider received the message which has the key information including the sender domain and sender IP address.
  2. The free mail provider verified the source by looking up the TXT/SPF record of the sender domain on name servers.
  3. If the sender IP address is listed in the SPF string, then the source is trustable.
  4. Otherwise, the source remains doubtful. The free mail provider might block the message or dump it into Trash folder.

Let's see the record from any clients by nslookup:

C:\Users\ed>nslookup -type=txt example.com
Server:  dns.hinet.net
Address:  168.95.1.1

Non-authoritative answer:
example.com      text =

        "v=spf1 ip4:10.23.58.124 a -all"

Now, your SPF will be pass and trusted. Let's see the test result:

...
Received-SPF: pass (google.com: domain of [email protected] designates 10.23.58.124 as permitted sender) client-ip=10.23.58.124;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of [email protected] designates 10.23.58.124 as permitted sender) [email protected]
...

Maybe you have noticed that I rewrote the sender address into [email protected] instead of [email protected]. For more details, please refer my post: How to Rewrite Return-Path and Sender Address in Postfix.

Leave a Reply

Your email address will not be published. Required fields are marked *