Tiny SPF logo, depicts checking of envelope from
The SPF Setup Wizard
FAQDownloadsSitemapContact Us
How it WorksNews What it Does ServicesForums
bar with right arrows

Most domains send outbound mail through a relatively small number of servers. Domains should describe that set of servers in an SPF record in their DNS. Internet email receivers can then reject forged messages which don't come from an envelope sender domain's approved servers. This wizard helps domain owners identify all the servers which could be expected to send mail from their domain.

Let's set up SPF records for
askapache.com's IP address is 208.86.158.195 (www.askapache.com).
Does that server send mail from askapache.com? 		[a]
yes no
This wizard found 14 names for the MX servers for askapache.com: gy-in-f27.1e100.net, aspmx5.googlemail.com, alt1.aspmx.l.google.com, bw-in-f27.1e100.net, gx-in-f27.1e100.net, aspmx2.googlemail.com, iw-in-f27.1e100.net, aspmx.l.google.com, pv-in-f27.1e100.net, aspmx3.googlemail.com, aspmx4.googlemail.com, ww-in-f27.1e100.net, alt2.aspmx.l.google.com, and qw-in-f27.1e100.net. (A single machine may go by more than one hostname. All of them are shown.)
MX servers receive mail for askapache.com.
Do they also send mail from askapache.com? 		[mx]
yes no
Do you want to just approve any host
whose name ends in askapache.com? (Expensive, unreliable and not recommended) 		[ptr]
yes no

Do any other servers send mail from askapache.com?

You can describe them by giving "arguments" to the a:, mx:, ip4:, and ptr: mechanisms. mx: takes domain names and approves all the MX servers of these domains. To keep the wizard short we left out ptr:, but it works analogously.

 [a:]
[mx:]

IP networks can be entered using CIDR notation, eg. 192.0.2.0/24 		[ip4:]
Could mail from askapache.com originate through
servers belonging to some other domain?
If you send mail through your ISP's servers, and the ISP has published an SPF record, name the ISP here. 		[include:]
Do the above lines describe all the hosts
that send mail from askapache.com? 		[~all]
yes no
askapache.com. IN TXT

The SPF record:

v=spf1 redirect=spf.sqpt.net

can be explained as:

[v=spf1] v=spf1This identifies the TXT record as an SPF string.
[redirect=] redirect=spf.sqpt.net Load the SPF record for spf.sqpt.net and execute it instead.

You need to transfer these records to your DNS server by yourself. No changes can be made by the wizard, it can only provide you with the data that needs to be entered into your DNS server.

If you run BIND

Paste this into your zone file: 
askapache.com. IN TXT "v=spf1 redirect=spf.sqpt.net"

If you run tinydns (djbdns)

'askapache.com:v=spf1 redirect=spf.sqpt.net:3600

If you run Windows DNS

Please see these instructions.

More options

If your site requires more complex configuration than this, you should read more about mechanisms. You should also review the tradeoffs involved in choosing an "all" default: see page 15 of the white paper.

You can test some pretend scenarios at one of the DNS tools. MTAs that reject mail because SPF tests failed will link to the why page.
horizontal line
Home Services Media Contributors Sitemap Contact Us
Copyright © 2004-2006, licensed under the GFDL.