Tiny SPF logo, depicts checking of envelope from
FAQDownloadsSitemapContact Us
How it WorksNews What it Does ServicesForums

Note: Please get on the mailing list to stay abreast of updates.

Let's pretend that my domain name is:
of my users still "forge" their own address in outbound mail, through an SMTP server I do not control.

Pick a default.

SPF domains have to publish at least two directives: a version identifier and a default mechanism.

 mydomain.com. TXT "v=spf1 -all"

This is the simplest possible SPF record: it means your domain mydomain.com never sends mail.

It makes sense to do this when a domain is only used for web services and doesn't do email.

But most domains will want to designate permitted hosts using one or more mechanisms.

If your MX servers send mail, designate them.

 mydomain.com. TXT "v=spf1 mx -all"

Let's pretend mydomain.com has two MX servers, mx01 and mx02. They would both be allowed to send mail from mydomain.com.

If other machines in the domain also send mail, designate them.

 mydomain.com. TXT "v=spf1 mx ptr -all"

This designates all the hosts whose PTR hostname match mydomain.com.

If any other machines not in the domain also send mail from that domain, designate them.

 mydomain.com. TXT "v=spf1 a:mydomain.com mx ptr -all"

mydomain.com's IP addresses don't show up in its list of MX servers. So we add an "a" mechanism to the directive set to match them.

 mydomain.com. TXT "v=spf1 a mx ptr -all"

This is shorthand for the same thing.

Each of your mail servers should have an SPF record also.

When your mail servers create a bounce message, they will send it using a blank envelope sender: <>. When an SPF MTA sees a blank envelope sender, it will perform the lookup using the HELO domain name instead. These records take care of that scenario.

  amx.mailix.net. TXT "v=spf1 a -all"
   mx.mailix.net. TXT "v=spf1 a -all"

Consider creating an SPF record for every other machine in your domain.

Spammers can forge hostnames as well as domain names: to SMTP there is no difference between the two. If they start forging the hostnames of web servers, unix servers, even workstations, you'll want to create SPF records for those machines also.

Notes

If you send mail through another organization's servers, you should use an Include directive to point to their servers. If they do not have SPF records, maybe they don't know about SPF. Tell them about it!

(optional) use Include records to share these hosts

If other domains use exactly the same set of hosts, you can set up redirects for them. "Redirect" aliases point to other domains which themselves publish SPF records. This aliasing mechanism makes it possible to easily consolidate multiple domains that share the same set of designated hosts.

That's it. You're done.

Note: The above examples are good for a simple case, but do read the Mechanisms page or the SPF draft RFC to see how to configure complex cases. You can have multiple includes for a given domain.

Once you've set up records, try them out.
Home Services Media Contributors Sitemap Contact Us
Copyright © 2004-2006, licensed under the GFDL.