Email Security: How can I create SPF record on DNS server?
12/20/2019 1053 19129
Email Security: How to create SPF record on DNS server
To create an SPF record for a domain.
Login into your Admin Console that manages DNS for your domain.
Navigate to the configuration page where you can make changes to your DNS records.
Create a TXT record using some of the following mechanisms to define the trusted sources allowed to relay email for your domain. EXAMPLE: "v=spf1 ip4:192.168.6.112 /16 -all". "v=spf1 ip6:1080::8:800:200C:417A/96 -all". "v=spf1 a:example.com -all". "v=spf1 mx mx:example.domain.com -all". "v=spf1 ptr -all". "v=spf1 exists:example.com -all". "v=spf1 include:example.com -all"
all :This always goes at the end of the SPF record and specifies that the condition always matches .
ip4 :This specifies the condition to use IPV4 network range./32 is assumed if no prefix-length is given.
ip6 :This specifies that IPV6 network range is used. /128 is assumed if no prefix length is defined.
a :This specifies that all A records be tested and the condition matches if the client IP is found.
mx :This defines all A records of all MX records be tested in the order of priority. The condition passes if the client IP is found among them.
Ptr: Hostname is validated by PTR queries and the condition passes if at least one A record of a PTR hostname matches the original client IP.
Include :This specifies the defined domain be searched for a match. If the lookup does not result in a match or permerror, the query proceeds to the next condition.
EXAMPLE: v=spf1 mx:messages.sonicwall.com -all.
When creating an SPF record that uses the ~all instead of all, you are specifying a softfail whereas the all would result in a hard fail if the conditions of the SPF record are not matching.
"+" Pass The SPF record states that the host is permitted to send.
"-" Fail The SPF record states that the host is NOT permitted to send.
"~" SoftFail The SPF record states that the host is NOT permitted to send but is in transition.
"?" Neutral The SPF record states explicitly that no judgement is made on the validity of the host
NOTE: Save your settings. DNS records can take up to 48 hours to propagate.