Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [spf]

Sender Policy Framework is a standard by which the owner of a domain uses a specially formed DNS record to advertise which hosts are authorized to send email for the domain.

Sender Policy Framework (SPF) is a technique to prevent e-mail sender address forgery. With SPF system administrators add information about allowed senders for particular domain in a DNS server's TXT and/or SPF record.

Please have a look at the canonical question What are SPF records and how do I configure them.

869 questions
11
votes
1 answer

What takes precedence: an SPF record with "-all" in the primary TXT record, or one in the "include" section?

Suppose I have a domain (company.com) with an SPF that looks like this: v=spf1 ip4:70.70.70.70 include:host.marketing.com -all and "host.marketing.com" looks like this v=spf1 ip4:8.8.8.8 ~all What takes precedence for company.com, the "~" or the…
makerofthings7
  • 8,911
  • 34
  • 121
  • 197
11
votes
3 answers

What's the proper format for an SPF record?

Querying my domain I get: The TXT records found for your domain are: v=spf1 ip4:50.22.72.198 a mx:wordswithfriends.net ~all So superficially it appears OK. However I also get the following message SPF records should also be published in DNS as…
deltanovember
  • 531
  • 2
  • 7
  • 13
11
votes
4 answers

SPF record -- why do we use `+a` alongside `+mx`?

Why do administrators mostly use +a alongside +mx in SPF records? This is the example: @ 10800 IN TXT "v=spf1 +a +mx -all" Isn't it enough to only use +mx parameter e.g.: @ 10800 IN TXT "v=spf1 +mx -all" I thought…
71GA
  • 363
  • 1
  • 3
  • 10
11
votes
3 answers

record DKIM on IONOS makes sense?

If I am sending mail through SMTP, I understand that it is IONOS who signs those emails, right? I would like to add the DKIM header to my emails. I know that it is necessary to publish a CNAME record with the public key but if I don't use a…
Diego
  • 113
  • 1
  • 4
10
votes
1 answer

How to include multiple spf domains with different mechanisms in a single spf TXT Record

EDIT : How to Mix the different mechanisms (a , mx , ip4 , ptr and include) to create single SPF file from 4 I know that 2 simple SPF records like v=spf1 include:_spf.google.com ~all v=spf1 include:otherdomain.com ~all can be merged to one…
Oxi
  • 219
  • 1
  • 2
  • 7
10
votes
4 answers

SPF + DKIM + DMARC with Gmail account and external mail server

I,m using gmail with own domain (Google Apps) for my project. Now I want to add external mail server for sending notifications for users. Gmail doesn't give private keys for DKIM and if keys will be generated on external mail server, in case strict…
cptBuggy
  • 101
  • 1
  • 1
  • 4
10
votes
4 answers

Gmail SPF fail based on client IP

Gmail is failing SPF check based on the client IP. These are the relevant headers: Received-SPF: fail (google.com: domain of johndoe@example.com does not designate 164.77.240.58 as permitted sender) client-ip=164.77.240.58; Received: from johndoe…
Max Toro
  • 201
  • 2
  • 5
10
votes
2 answers

Why is email being delivered normally despite an SPF "hardfail"?

I'm trying to figure out why forged email is being delivered to major email providers (gmail.com, outlook.com) even though email is marked with an SPF hardfail. The email is also delivered to Microsoft Exchange, which is throwing a PermError for…
Rook
  • 2,655
  • 6
  • 27
  • 35
10
votes
3 answers

Why is my email failing Gmail's DKIM test?

I have a message that was rejected by Gmail, I don't know why. It passes SPF. We aren't using DKIM. Do I need to set up DKIM? I am in control of "example.com". Our mail server is "server.example.com" (hosted at bluehost) Our SPF record is v=spf1 +a…
nielsbot
  • 223
  • 1
  • 3
  • 9
10
votes
5 answers

How do I configure SPF for multiple domains on a server? (also allowing gmail as a sender)

SPF (Sender Policy Framework) seems like a good way to combat spammers/spoofing. However, despite reading the explanations several times, I'm not quite understanding how to configure it correctly. Let's say I have my server at a.x.com which hosts…
Peter Boughton
  • 594
  • 2
  • 7
  • 19
10
votes
2 answers

SPF hardfail and DKIM failure when recipient has e-mail forwarding

I configured hardfail SPF for my domain and DKIM message signing on my SMTP server. Since this is the only SMTP server that should be used for outgoing mail from my domain, I didn't foresee any complications. However, consider the following…
Belmin Fernandez
  • 10,799
  • 27
  • 84
  • 148
10
votes
2 answers

How do I prevent the SPF_HELO_NONE warning when sending from Postfix?

When using a tool like https://dkimvalidator.com/ to verify configuration of DKIM, SPF, DMARC, etc. for sending mail from a web server, I get a warning like this: 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record It seems like a bad…
Walf
  • 401
  • 1
  • 6
  • 17
10
votes
2 answers

How does DKIM work when sending emails from multiple sources/servers?

So if I'm understanding DKIM correctly, it basically is a public/private key type of service. However, how does this work if you send emails from multiple servers/sources? For instance, I have a split domain where I send some emails (under the…
Marc NJ
  • 111
  • 1
  • 4
9
votes
2 answers

Should I put Scope:Link or scope:Global IPv6 address in DNS AAAA record?

I have a mail server for which I need to create the AAAA DNS record and update the SPF record to include its IPv6 address. An ifconfig command shows a Scope:Link IPv6 address and a Scope:Global IPv6 address. Which one should I put in the AAAA and…
chmike
  • 429
  • 2
  • 5
  • 18
9
votes
3 answers

Does "~all" in the middle of an SPF record signal the end of the record when it is parsed?

Our company's SPF record format is as follows: "v=spf1 include:_spf.google.com ~all a mx ip4:X.X.0.0/23 include:spf.example.com ?all" So we have an "~all" in the middle of our SPF record. On the openspf.com website, they say this regarding the "all"…
whelanska
  • 93
  • 3
1 2 3
57 58