Do I need SPF, and how do I set it up?

domain-name-system spf mx-record

I've read that SPF is a way to ensure that spam sent in my name is evidently fake, and I'd like to use that. How do I set up SPF? Or is it already in effect? I have two domains hosted on Dreamhost.com, and I use Google Apps to read mail on both domains (separately).

I have used this tool to check if SPF is present for my domains. One domain has SPF, one doesn't.

But it gets more complicated than that:

A) The domain with SPF uses Dreamhost as MX. Mail accounts on this domain are set up to forward to specific Google Apps accounts.

  • Is my SPF ignored when sending mail from Google Apps?

B) The domain without SPF uses Google as MX. I want to add SPF to this domain.

  • Can I add SPF under this domain's DNS records, or should this be done at Google (outside my control)?

C) Further, the users are in several countries using several ISP's. Some don't use the Gmail web interface but rather a mail client (Thunderbird, Outlook). So it's really difficult to say which IP addresses are "ours". This goes for both domains.

  • What IP addresses can/should/must I (not?) specify in my SPF records?

Solution 1:

SPF doesn't care about clients, it is about the question "which server is allowed to send mails coming from my domain?"

Assuming you own the domain example.org:

  • A) It's not important where you send your mails from. It's important that your mailserver has SPF records that match your mailserver.
  • B) Google.
  • C) It's typical to trust the A and MX record resolving to that domain, so: v=spf1 a mx -all

Solution 2:

First, SPF is just a DNS record for your domain, that specifics which servers can send e-mail for your domain. If a receiving e-mail server also supports SPF it will check this record and follow the actions you set in your record.

The most common effect is that less people can send spam where the spam claims to be from you. Sometimes mail servers are configured so that they will not accept e-mail unless the sending domain has an SPF record; but this is rare.

In all cases the choice to use an SPF record lies ultimately in the receiving server.

If you use Google Apps to send e-mail you can create a SPF record for your domain like this:

TXT "v=spf1 include:_spf.google.com -all"

You have to contact whoever hosts the DNS for your domain, and tell them you want to add that record. Many hosting providers have an easy to configure tool for setting this up; if not call the; they'll know what you're talking about.

Solution 3:

To give Google permission to send email on your behalf add the following to your spf txt record.

include:_spf.google.com

Also with issue C, don't use the ISPs smtp servers. Set up each client to relay through Google's mail servers the details on how to do that can be found here.

Related

WHEN to put the contingency plan into action in case of a main server failure?
How to restore SharePoint 2010 Foundation after PC renaming?
Linux stretch cluster: MD replication, DRBD or Veritas?
Looking to add the "Log On as a service" right to an account via the command line
What do the shrines do and how do I get them for my cellar?
Is there a way to find out how many items total (games, software, videos) are available in Steam Discovery Queue?
Deny items to be removed from inventory slots.
Do cave spiders only spawn from their respective spawners or do they also spawn naturally in abandoned mineshafts?
How exactly do Helmets work in Apex Legend?
How to automate blueprint building in space engineers?
Minecraft Pocket Edition - shared game on local network
When does some specific encounter spawn and when doesn't?