Hulp nodig? Wij helpen graag

SPF records - What is it and how to use them?

You’ve probably come across the term SPF after doing some testing with your email address. But do you know what SPF means and why it’s a really important protocol?

In this article we’ll explain what a SPF-record does, how it’s built and how to use them.

Important: If your DNS runs via Neostrada a SPF record is already created for you by default, this is the TXT record in the DNS which starts with v=spf1 include:spf.totaalholding.nl.

 

Hoe do SPF-records work?

SPF stands for Sender Policy Framework. It’s a protocol to reduce the amounts of spam being sent on the web. With a SPF-record you determine which IPs/mail servers are allowed to send email with your domain as sender. The receiving mail server will then do a SPF check. It will check whether the IP that is mailing the mail server is included in the SPF-record of the domain of the sender email address. The result of this check will determine if the e-mail is delivered or is denied by the mailserver.

 

How is a SPF record built?

A SPF-record is a TXT-record, where you add v=spf1 to make it a SPF-record. The part v=spf1 is also essential for SPF, cause else SPF checks won’t see the record. There are also two parts that determine what a SPF-record needs to do:

  • Mechanisms

  • Qualifiers

We’ll cover both parts.

Mechanisms

In the mechanism part we tell the SPF-record which mail servers and IPs are to be trusted by mail servers. You have the following options available:

all

This goes for all mail servers in the SPF-record

a

When mail is sent from an IP that is set as A-record, the email will be allowed.

ip4

You can add an IPv4 IP, which will be allowed to send email ( ip4:185.56.145.141)

ip6

You can add an IPv6 IP, which will be allowed to send email ( ip6:2a02:40c0:1000:1000::1:16:1)

mx

When mail is sent by the mail server/IP that’s set up as MX record, the email will be allowed.

exists

When the domain points to an IP address, the email will be allowed.

include

You can include another DNS-record with this and those IPs will also be allowed to send email with (include:spf.totaalholding.nl)

Qualifiers

Qualifiers tell what happens with the mail that’s being sent. The following options are available:

  • + gives a PASS result. The email will always be sent.

  • ? gives a NEUTRAL result. The email will always be sent (no policy).

  • ~ gives a SOFTFAIL result. The email will always be sent but if the IP of the mailserver is not included in the SPF the email will be seen as spam.

  • – gives a HARDFAIL result. The e-mail will not be sent if the IP of the mailserver is not included in the SPF-record.

 

What do the SPF-records of Neostrada look like?

Every domain that had a hosting package gets a SPF-record automatically:

v=spf1 a mx include:spf.totaalholding.nl ip4:185.56.145.141 -all

The IP address in the SPF-record (ip4:185.56.145.141) is the only variable thing. This is always the IP of the server the hosting is on. The SPF also shows that all IPs in the A records and MX are allowed to send email. The other thing that you might have noticed is this part: spf.totaalholding.nl .

This is also a SPF-record (ours) that has al our IP ranges:

v=spf1 ip4:85.17.242.0/24 ip4:195.238.74.0/23 ip4:31.186.168.0/21 ip4:185.56.144.0/22 ip4:85.17.199.0/24 ip4:95.211.71.0/24 ip6:2a02:40c0:2000::/96 ip6:2a02:40c0:2000::1:0:0/96 ip6:2a02:40c0:2000::2:0:0/96 -all

By including this SPF-record everywhere, we can easily change something in the IP ranges without having to update everyone's SPF-records.

 

How can I edit SPF-records?

You can change the SPF-record the same way as with other DNS records. The only thing you have to pay attention to are the following:

  • Want to add an additional IP? Add it with ipv4: or ipv6:

  • Want to include the SPF-record of another company? Add it with include.

  • Always add content in the SPF-record AFTER the v=spf1 part and BEFORE the -all part.

 

Frequently Asked Questions

I’ve done a mail-tester and it says that the SPF-record is wrong. Can you guys fix it?

Yes we can! However we would request to first try it yourself. Most of the times it’s only an additional IP that needs to be added.

How do I add the SPF-record for Office 365?

If you want to add the record manually, just add this part to the SPF-record:

include:spf.protection.outlook.com


I use Office 365 for my email but when I send an email through my website, I get a message that the SPF has issues?

You probably don’t have our IPs in your SP-record then. Add the following part to make sure our mail servers are also allowed to mail:

include:spf.totaalholding.nl ip4:xxx.xxx.xxx.xxx


Can I use a SPF-record to prevent spam mails which have the same sender emailaddress as the receiver?

You can use a SPF-record to prevent spam mails which spoof the sender emailadresss to be the same as the reveiving mailbox. Please note that the default SPF-record uses the questionmark qualifier which gives a neutral result, therefore we recommend to use the minus sign instead. The resulting SPF-record will end like this:

-all


It seems I have two SPF-records. Which one do I delete?

It doesn’t really matter which one you delete. The point is that you have to make sure that the content from both records are combined in one record. Take the next example: 

domein.nl TXT v=spf1 include:spf.protection.outlook.com -all

domein.nl TXT v=spf1 a mx include:spf.totaalholding.nl ip4:185.56.145.141 -all

You combine these into the following record:

v=spf1 a mx include:spf.totaalholding.nl include:spf.protection.outlook.com ip4:185.56.145.141 -all

Just delete the other one :)

 

This knowledgebase article was last updated on: 2 May 2019

Heeft dit artikel je geholpen?

Status

Ga naar onze statuspagina voor een overzicht van recente storingen en onderhoud.

Openingstijden

Maandag — vrijdag 9:00 — 17:00