- Simple DNS Plus
- Knowledge Base
- Spam and Phishing
- KB article #18
Configuring SPF (Sender Policy Framework) records
Note about the DNS SPF-record type (numeric 99):
In 2006 a new DNS record type "SPF" (numeric ID 99) was introduced through RFC4408. This record type (and RFC) was made obsolete in 2014 through RFC7372.
Since the introduction of the SPF concept, it has always been valid and correct to publish SPF data using DNS TXT-records. Between 2006 and 2014 both record types (TXT / SPF) were valid and correct. However now only TXT-records should be used.
All e-mail servers that we know of support SPF through DNS TXT-records.
Therefore the DNS "SPF" record type (99) was removed from Simple DNS Plus in v. 5.3.
SPF is a spam and phishing scam fighting method which uses DNS TXT-records to define which hosts are permitted to send e-mails for a domain. For details on SPF, please see http://www.openspf.org/
This works by defining an SPF-record (a DNS TXT-record) for the e-mail domain name specifying which hosts (e-mail servers) are permitted to send e-mail from the domain name.
Other e-mail servers can lookup this record when receiving an e-mail from this domain name to verify that sending e-mail server is connecting from a permitted IP address.
Simple DNS Plus can automatically synthesize SPF-records for all domain names hosted on your server which do not already have SPF-records.
In the main window click the "Options" button:
In the Options dialog, select "Automatic SPF" in the left list.
The option "Synthesize missing SPF records" allows you to specify SPF data for all local domain names which do not have SPF-records.
You can get the exact SPF-record data string to enter by using the setup wizard at http://www.openspf.org/
You can also setup SPF-records for individual domain names.
SPF-records for individual domain names will always override the Automatic SPF records options.
For example to create an SPF-record specifying that only those e-mail servers handling inbound e-mail for "example.com" (as specified in MX-records) are allowed to send e-mails from "...@example.com" (fits most setups), you would follow these steps:
First click the "Records" button in the main window:
Then in the DNS Records window, right-click on the zone in the left list, and select "New TXT-record (Text Strings)" from the pop-up menu:
Enter the SPF text string (without surrounding quotes), and click the "OK" button:
Again, you can get the exact text string to enter by using the setup wizard at http://www.OpenSPF.org
NOTE: The abbreviation "SPF" used to stand for "Sender Permitted From" but was later changed to mean "Sender Policy Framework".
NOTE: Microsoft uses the name "Sender ID" about SPF - this is exactly the same thing.
The name confusion is the result of a "merge" between Microsoft's "Caller-ID" and SPF in May 2004 - where essentially only SPF survived.
Important note about SPF and the HELO/EHLO host name
In addition to checking the domain name part of the sender's e-mail address, some e-mail servers also perform SPF checks on the SMTP session HELO/EHLO greeting host name.
Therefore always make sure that your e-mail server is configured to use a correct host name (like "mail.example.com") in the HELO/EHLO greeting, and that an A- and/or AAAA-record exists for this host name in DNS.
When using "Automatic SPF", make sure that the automatic SPF-record data is also valid for the HELO/EHLO host name, or define a specific SPF-record for the HELO/EHLO name in the zone where this belongs (this will override the automatic SPF record).
Note that the default automatic SPF record data "v=spf1 mx -all" will fail such a test if no MX-record exists for your HELO/EHLO name.
For example, if your domain name is "example.com" and your mail server is named "mail.example.com" (and uses this in HELO/EHLO greetings), you would probably only have an MX-record for "example.com" - not for "mail.example.com", and therefore "v=spf1 mx -all" fails to validate "mail.example.com".
Instead you could use "v=spf1 ip4:22.214.171.124 -all" (where 126.96.36.199 is the IP address of your mail server), which would work for both types of tests.
Be the first to comment on this page: