Email SPF examples
You can set up an SPF record to prevent spammers from using your domain to send unauthorized emails, also called spoofing. Some mail recipients require SPF. If you don’t add an SPF record for your domain, your messages can be marked as spam or even bounce back.
$dig txt goyun.info +short
"v=spf1 a mx ip4:8.8.8.8 ip4:8.8.8.88 -all"
The "a" and "mx" specify the systems permitted to send messages for the given domain.
To add ip of goyun.info to the SPF so that goyun.info can send email for goyun.info
$dig goyun.info
get ip of goyun.info:
9.9.9.9
Then change the SPF into
"v=spf1 a mx ip4:8.8.8.8 ip4:8.8.8.88 ip4:9.9.9.9 -all"
The "ip4" mechanism
Examples:
You can use dig -x ip_address to reverse lookup the ip address.
Testing tools of SPF
http://spf.myisp.ch/
http://www.kitterman.com/spf/validate.html
www.openspf.org/Tools
http://tools.bevhost.com/spf/
If you are using Amazon Simple Email Service:
If you use gmail API to send your email,
include:_spf.google.com ~all
Publishing an SPF record that uses -all instead of ~all may result in delivery problems.
Sender ID Introduction and Resources
You can add spf2.0 at the same time, it doesn't hurt:
"spf2.0/pra ip4:88.88.88.88 -all"
"v=spf1 mx include:goyun.info -all"
Test emails sent to the Port25 email verifier
Port25 offers a really nifty public service -- you can send email to check-auth@verifier.port25.com and it will reply to the from: address with an extensive diagnostic. Here's an example summary result
from a test email:
SPF check: pass
DomainKeys check: fail
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham
Multiple SPF records are not recommended and will cause authorization problems.
If you have both SPF record type and TXT record type, most email servers will only pick up TXT record.
Gmail checks SPF on message "From" while port25 checks on envelop "From", you might get different results from them. You could add SPF to both message 'From' domain and envelop 'From' domain.
$dig txt goyun.info +short
"v=spf1 a mx ip4:8.8.8.8 ip4:8.8.8.88 -all"
The "a" and "mx" specify the systems permitted to send messages for the given domain.
To add ip of goyun.info to the SPF so that goyun.info can send email for goyun.info
$dig goyun.info
get ip of goyun.info:
9.9.9.9
Then change the SPF into
"v=spf1 a mx ip4:8.8.8.8 ip4:8.8.8.88 ip4:9.9.9.9 -all"
| v=spf1 | SPF version 1 |
| mx | the incoming mail servers (MXes) of the domain are authorized to also send mail for goyun.info |
ip4:<ip4-address>
ip4:<ip4-network>/<prefix-length>
The argument to the "ip4:" mechanism is an IPv4 network range. If no prefix-length is given, /32 is assumed (singling out an individual host address).ip4:<ip4-network>/<prefix-length>
Examples:
"v=spf1 ip4:192.168.0.1/16 -all"
Allow any IP address between 192.168.0.1 and 192.168.255.255.
| -all | all other machines are not authorized |
You can use dig -x ip_address to reverse lookup the ip address.
Testing tools of SPF
http://spf.myisp.ch/
http://www.kitterman.com/spf/validate.html
www.openspf.org/Tools
http://tools.bevhost.com/spf/
If you are using Amazon Simple Email Service:
If you are already publishing SPF or Sender ID records to your Domain Name Service (DNS), recipients might not receive your email. To ensure delivery, add the following to any such records:
include:amazonses.com include:sendgrid.net include:spf.goyun.info
If you use gmail API to send your email,
include:_spf.google.com ~all
Publishing an SPF record that uses -all instead of ~all may result in delivery problems.
Sender ID Introduction and Resources
You can add spf2.0 at the same time, it doesn't hurt:
"spf2.0/pra ip4:88.88.88.88 -all"
"v=spf1 mx include:goyun.info -all"
Test emails sent to the Port25 email verifier
Port25 offers a really nifty public service -- you can send email to check-auth@verifier.port25.com and it will reply to the from: address with an extensive diagnostic. Here's an example summary result
from a test email:
SPF check: pass
DomainKeys check: fail
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham
Multiple SPF records are not recommended and will cause authorization problems.
If you have both SPF record type and TXT record type, most email servers will only pick up TXT record.
Gmail checks SPF on message "From" while port25 checks on envelop "From", you might get different results from them. You could add SPF to both message 'From' domain and envelop 'From' domain.
| Components | Description |
|---|---|
| TXT | The DNS zone record type; SPF records are written as TXT records |
| @ | In a DNS file, the "@" symbol is a placeholder used to represent "the current domain" |
| v=spf1 | Identifies the TXT record as an SPF record, utilizing SPF Version 1 |
| a | Authorizes the host(s) identified in the domain's A record(s) to send e-mail |
| include: | Authorizes mail to be sent on behalf of the domain from google.com |
| ~all | Denotes that this list is all inclusive, and no other servers are allowed to send e-mail |
Comments
Post a Comment