en-US
search-icon

Knowledge Base

Email Security: How to create SPF record on DNS server

Description

Email Security: How to create SPF record on DNS server

Resolution

Question:

How to create SPF Records on DNS Server


Procedure:

To create an SPF record for a domain:

Login into your Admin Console that manages DNS for your domain.

Navigate to the configuration page where you can make changes to your DNS records.

Create a TXT record using some of the following mechanisms to define the trusted sources allowed to relay email for your domain:

Examples:

"v=spf1 ip4:192.168.6.112 /16 -all"
"v=spf1 ip6:1080::8:800:200C:417A/96 -all"
"v=spf1 a:example.com -all"
"v=spf1 mx mx:example.domain.com -all"
"v=spf1 ptr -all"
"v=spf1 exists:example.com -all"
"v=spf1 include:example.com -all"

Mechanisms:

all This always goes at the end of the SPF record and specifies that the condition always matches
ip4 This specifies the condition to use IPV4 network range./32 is assumed if no prefix-length is given
ip6 This specifies that IPV6 network range is used. /128 is assumed if no prefix length is defined
a This specifies that all A records be tested and the condition matches if the client IP is found
mx This defines all A records of all MX records be tested in the order of priority. The condition passes if the client IP is found among them.
Ptr Hostname is validated by PTR queries and the condition passes if at least one A record of a PTR hostname matches the original client IP.
Include This specifies the defined domain be searched for a match. If the lookup does not result in a match or permerror, the query proceeds to the next condition.

Example: v=spf1 mx:messages.sonicwall.com -all

When creating an SPF record that uses the ~all instead of all, you are specifying a softfail whereas the all would result in a hard fail if the conditions of the SPF record are not matching.

"+" Pass The SPF record states that the host is permitted to send
"-" Fail The SPF record states that the host is NOT permitted to send
"~" SoftFail The SPF record states that the host is NOT permitted to send but is in transition
"?" Neutral The SPF record states explicitly that no judgement is made on the validity of the host

Save your settings. Please note that DNS records can take up to 48 hours to propagate.

For more reference you can refer to: http://www.openspf.org/SPF_Record_Syntax