How To Setup an SPF Record on your DNS Server

An SPF (Sender Policy Framework) record is something that is a recipient of email from your mail system that it legitimately came from your systems. This is more important in the background of email spam. Many e-mail software today routinely check for SPF records of email they receive before deciding if it is spam. An SPF record looks complicated to create on the face of it, but is really simple to do. I show you two methods to achieve this in this article.

What You Need

Before starting off, you should have the following information or set up ready:

• Domain name – that you will be using to send your email from. If you do not have a domain name, visit any domain registrar of your choice and register a domain name. You may need to wait for up to 12 hours (based on the registrar) for your name to be usable. I would recommend http://godaddy.com — registration takes a few minutes and you can finish this entire walkthrough in a couple of hours. For the purpose of our walkthrough, we will use the fictitious domain name of “foo.bar” (where we are assuming “.bar” to be a TLD domain like “.com” or “.net” and so on).
• DNS server – you will need access to create and edit records for the selected domain name. You can use the control panel provided by your domain registrar (if you used GoDaddy.com as suggested above, they have a very powerful control panel), or if you are running your own servers, then you can install a DNS server.

Note: If you are not running your own servers (and you don’t have a Virtual Private or Dedicated server), you may need to purchase a web hosting plan from a hosting provider (if your domain registrar provides hosting, that would be a recommended option) that supports an email plan.

Set Up Your DNS (Part 1)

We will revisit the DNS again below. But at the moment, select a good name for your email domain. Typically, people use “mail” or “email”. Don’t worry, once you follow through with this walkthrough and you decide you want to implement this for real, you can still change this name easily by retracing your steps from this point on, with the new name. So let’s say you have selected “mail” — this makes your full mail domain “mail.foo.bar”.

Edit the DNS record for your “foo.bar” domain and add a HOST (A) record for “mail”. I know you would typically not have a supply of IP addresses to assign. If you are using shared hosting, you can use the same IP address that is assigned to your “www” name. If you have another IP address you can use, use that instead.
For our example, we will use “192.168.1.1” as the IP address.

Create Your SPF Record Data

Like we said before, there are two ways to do this and I will show you both ways. Let’s first do it the hard (manual) way so that you understand the selections of the second (wizard) way better.

By Hand

An SPF record is nothing but a DNS “TXT” record with a specific set of values. Once you know what the values are, it is easy to recreate it by hand. Here is an example SPF record:

v=spf1 mx ptr ip4:192.168.1.1 ~all

Let’s decode this:

• “v=spf1” indicates the SPF record version to be SPF 1
• The next “mx” and “ptr” flags tell the SPF checker to use the value of the MX record and PTR record for the domain as validation methods
• The fourth set “ip4:192.168.1.1” provides a specific IP address (an IPv4 one “192.168.1.1”) as a valid sender of email for this domain. If an email is received that cannot be verified using one of the previously specified mechanisms (mx, ptr, IP), then it should be rejected.
• The final “~all” indicates that all subdomains and IP addresses that resolve to this domain are authorized senders of email for this domain.

Now let’s compose the same string for our domain. We have not set up an MX record, but since we have an “A” record for our email (the “mail.foo.bar”) and an IP address for it (192.168.1.1). Also, we don’t want to authorize all domains and IPs. Yes, you guessed it, our SPF record will look like this:

v=spf1 ptr a:mail.foo.bar ip4:192.168.1.1

Using a Wizard

Microsoft provides an easy to use online wizard that can produce very complex SPF records. You can access this by going to https://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/default.aspx.
P.S.: This wizard will allow you to create records for even non-existent domains (like foo.bar), so ensure you do not have typo issues while entering data.

1. Enter your domain name (foo.bar) and click “Start”.
2. The system will validate if you already have an SPF setup. Since you do not, it will tell you so. Click “Next” (this button will be on the far right hand side of your screen under the colored box area).
3. Read what it says on the left side and right side carefully and make your selections. For our example, check ON only the “All PTR records resolve to outbound email servers”. For the final set of “Default” radio choices, select the second radio that reads “No; this domain sends mail only from the IP addresses identified above”. Click Next.
4. You will get the text data for the SPF record. The wizard provides this:

   v=spf1 ptr ~all

   Note that this is actually functionally the same as what we composed by hand above. If you still want it to be exact, on the 3^rd step, under the “Outbound Mail Server Addresses” check box, in the first textbox, enter “192.168.1.1”, and “mail.foo.bar” in the one under that. With these small changes, your SPF text will become:

   v=spf1 ptr ip4:192.168.1.1 a:mail.foo.bar ~all

Editing the DNS (Part 2)

Now, go back to your DNS records, create a new TXT record and paste in the SPF text into the value. Save and reload your zone data or file (you may need to restart your DNS service with some DNS server software). That’s it.

Testing Your SPF Set Up

You can go back to the SPF setup wizard (the Microsoft one) and go through the first two steps again — enter your domain name but this time on the second page, it should tell you that you have a valid SPF record. The second test is to go to a site like DNS Stuff.com: http://www.dnsstuff.com/mstc and use their Mail Server Test Center. You should get a check / pass mark against the SPF test.