22.214.171.124. SPF setting
- A domain must have only one SPF record. If you need to take into account several mail services at once, they need to be combined into one SPF record.
- In SPF records, you cannot specify a large number of domains, since the maximum number of domains DNS requests is 14, above which mail will be rejected by mail servers.
SPF (Sender Policy Framework) is an extension for the protocol for sending email via SMTP. Thanks to SPF, you can check if the sender's domain has been tampered with.
SPF allows the domain owner to specify in the TXT record corresponding to the domain name a list of servers that are allowed to send e-mail with return addresses in that domain. Mail transfer agents receiving mail messages can request SPF information using a simple DNS-request, thus verifying the sender's server.
Without an SPF record, many mail services can send all mail sent from domain mailboxes to spam, regardless of its content.
Domain on our NS
If domain mailboxes are hosted on our hosting and the domain is served on our NS, then for setting SPF set our MX record... Moreover, in domain settings the required SPF record will also be automatically added.
Warning!An SPF record is automatically added only once when a domain is sent to our NS. If the entry does not exist, you should add it manually.
What our SPF record looks like in domain settings:
Domain on third-party NS
If the domain mailboxes are hosted on our hosting, but the domain is served on the NS of another provider, in the owner panel of these NS add the following TXT record:
v=spf1 include:_spf.ukraine.com.ua ~all
An SPF record consists of many keys used to form suitable and correct rules. After specifying the key, you need to set the symbol
: and specify the desired node.
Frequently used and important keys:
v=spf1— SPF version.
- Parameters that determine the behavior for the specified keys:
+— parameter indicating the receipt of letters (Pass). Installed by default if there are no others.
-— reject (Fail). The letter will not be accepted.
~— "soft" deviation (SoftFail). The email will be accepted but marked as spam.
?— neutral perception of the sender.
- Keys for defining nodes:
mx— includes all server addresses specified in the MX records of the domain. Warning! Do not use this key if the domain uses our MX, as they are not involved in sending letters and specifying such a key may lead to errors.
ip4— indication of specific IP.
ptr— checking the PTR record for the presence of the specified domain.
exists— domain health check. It is important to keep in mind that this check will also give a positive answer if addresses of the form
127.0.0.1etc., which makes its use rather questionable.
a— applying rules to a specific domain by comparing the sender's IP address with the IP address specified in the domain's A—records.
include— use of allowed nodes specified in SPF records of another domain.
redirect— the rule indicates that the SPF policy used for this domain is specified in another domain. Somewhat analogous to
includeignoring the records of the current domain.
all— all addresses not specified in the record.
The rule for sending letters from our hosting most often looks like this:
v=spf1 include:_spf.ukraine.com.ua ~all
This rule specifies that messages sent from the hosts specified in the record
_spf.ukraine.com.ua, are allowed and will be delivered, while those sent from other servers will be delivered but marked as spam.
To specify multiple servers, just list them. Examples:
- Sending from our mail and from our own server mail.example.com is used:
v=spf1 include:_spf.ukraine.com.ua a:mail.example.com ~all
In this case, letters sent from our hosting servers, as well as from the server whose IP address is specified in the A-record of the mail.example.com domain, will be delivered successfully.
- Sending from our mail and from Google is used:
v=spf1 include:_spf.ukraine.com.ua include:_spf.google.com ~all
- It is required to allow sending from one domain, but deny from another:
v=spf1 +a:mail.example.com -a:mail.example.org ~all
In this case, sending from the servers pointed to by the A-record of the mail.example.org domain will be denied and messages will be rejected.