2.24.5.1. SPF setting

SPF (Sender Policy Framework) is an extension for the protocol for sending email via SMTP. Thanks to SPF, you can check if the sender's domain has been tampered with.

SPF allows a domain owner to specify in the TXT record corresponding to a domain name a list of servers authorized to send e-mail with return addresses in that domain. Mail Transfer Agents that receive mail messages can query SPF information with a simple DNS query, thus verifying the sender's server.

Without an SPF record, many mail services can send all mail sent from domain mailboxes to spam, regardless of its content.

If domain mailboxes are hosted on our hosting and the domain is served on our NS, then for setting SPF set our MX record... Moreover, in domain settings the required SPF record will also be automatically added.

What our SPF record looks like in domain settings:

If the domain mailboxes are hosted on our hosting, but the domain is served on the NS of another provider, in the owner panel of these NS add the following TXT record:

v=spf1 include:_spf.ukraine.com.ua ~all

An SPF record consists of many keys used to form suitable and correct rules. After specifying the key, you need to set the symbol : and specify the desired node.

Frequently used and important keys:

• v=spf1 — SPF version.
• Parameters that determine the behavior for the specified keys:
  • + — parameter indicating the receipt of letters (Pass). Installed by default if there are no others.
  • - — reject (Fail). The letter will not be accepted.
  • ~ — "soft" deviation (SoftFail). The email will be accepted but marked as spam.
  • ? — neutral perception of the sender.
• Keys for defining nodes:
  • mx — includes all server addresses specified in the MX records of the domain. Attention! Do not use this key if the domain uses our MX, as they are not involved in sending letters and specifying such a key may lead to errors.
  • ip4 — indication of specific IP.
  • ptr — checking the PTR record for the presence of the specified domain.
  • exists — domain health check. It is important to keep in mind that this check will also give a positive answer if addresses of the form 127.0.0.1 etc., which makes its use rather questionable.
  • a — applying rules to a specific domain by comparing the sender's IP address with the IP address specified in the domain's A—records. Attention! Do not use this key if the site is hosted on our hosting, as this may lead to errors.
  • include — use of allowed nodes specified in SPF records of another domain.
  • redirect — the rule indicates that the SPF policy used for this domain is specified in another domain. Somewhat analogous to include ignoring the records of the current domain.
  • all — all addresses not specified in the record.

The rule for sending letters from our hosting most often looks like this:

v=spf1 include:_spf.ukraine.com.ua ~all

This rule specifies that messages sent from the hosts specified in the record _spf.ukraine.com.ua, are allowed and will be delivered, while those sent from other servers will be delivered but marked as spam.

To specify multiple servers, just list them. Examples:

• Sending from our mail and from our own server mail.example.com is used:

  v=spf1 include:_spf.ukraine.com.ua a:mail.example.com ~all

  In this case, letters sent from our hosting servers, as well as from the server whose IP address is specified in the A-record of the mail.example.com domain, will be delivered successfully.

• Sending from our mail and from Google is used:

  v=spf1 include:_spf.ukraine.com.ua include:_spf.google.com ~all

• It is required to allow sending from one domain, but deny from another:

  v=spf1 +a:mail.example.com -a:mail.example.org ~all

  In this case, sending from the servers pointed to by the A-record of the mail.example.org domain will be denied and messages will be rejected.

You can use online SPF generators to avoid manually compiling the entry.

The presence and correctness of the finished record can be checked using online SPF verification tools.