Tiny SPF logo, depicts checking of envelope from
The SPF Setup Wizard
FAQDownloadsSitemapContact Us
How it WorksNews What it Does ServicesForums
bar with right arrows

Most domains send outbound mail through a relatively small number of servers. Domains should describe that set of servers in an SPF record in their DNS. Internet email receivers can then reject forged messages which don't come from an envelope sender domain's approved servers. This wizard helps domain owners identify all the servers which could be expected to send mail from their domain.

Let's set up SPF records for
holamundo.com.ar's IP address is 200.110.130.206 (server.holamundo.com.ar).
Does that server send mail from holamundo.com.ar? 		[a]
yes no
This wizard found 2 names for the MX servers for holamundo.com.ar: server and mail. (A single machine may go by more than one hostname. All of them are shown.)
MX servers receive mail for holamundo.com.ar.
Do they also send mail from holamundo.com.ar? 		[mx]
yes no
Do you want to just approve any host
whose name ends in holamundo.com.ar? (Expensive, unreliable and not recommended) 		[ptr]
yes no

Do any other servers send mail from holamundo.com.ar?

You can describe them by giving "arguments" to the a:, mx:, ip4:, and ptr: mechanisms. mx: takes domain names and approves all the MX servers of these domains. To keep the wizard short we left out ptr:, but it works analogously.

 [a:]
[mx:]

IP networks can be entered using CIDR notation, eg. 192.0.2.0/24 		[ip4:]
Could mail from holamundo.com.ar originate through
servers belonging to some other domain?
If you send mail through your ISP's servers, and the ISP has published an SPF record, name the ISP here. 		[include:]
Do the above lines describe all the hosts
that send mail from holamundo.com.ar? 		[~all]
yes no
holamundo.com.ar. IN TXT

The SPF record:

v=spf1 a mx ip4:200.110.130.206 ?all

can be explained as:

[v=spf1] v=spf1This identifies the TXT record as an SPF string.
[a] a holamundo.com.ar's IP address is 200.110.130.206 (server.holamundo.com.ar).
That server is allowed to send mail from holamundo.com.ar.
[mx] mx This wizard found 2 names for the MX servers for holamundo.com.ar: server and mail.
(A single machine may go by more than one hostname. All of them are shown.)
The servers behind those names are allowed to send mail from holamundo.com.ar.
[ip4:] ip4:200.110.130.206 200.110.130.206 is allowed to send mail from holamundo.com.ar.
[all] ?all SPF queries that do not match any other mechanism will return "neutral".
Messages that are not sent from an approved server should still be accepted as if the SPF record did not exist.

You need to transfer these records to your DNS server by yourself. No changes can be made by the wizard, it can only provide you with the data that needs to be entered into your DNS server.

If you run BIND

Paste this into your zone file: 
holamundo.com.ar. IN TXT "v=spf1 a mx ip4:200.110.130.206 ?all"

When a mail server sends a bounce message, it uses a null MAIL FROM: <>, and a HELO address that's supposed to be its own name. SPF will still operate, but in "degraded mode" by using the HELO domain name instead. Because this wizard can't tell which name your mail server uses in its HELO command, it lists all possible names, so there may be multiple lines shown below. If you know which hostname your mail server uses in its HELO command, you should pick out the appropriate entries and ignore the rest.

So this should also appear in DNS. You may or may not be in charge of the DNS for these entries; if you are, add them.

mail.holamundo.com.ar. IN TXT "v=spf1 a -all"
server.holamundo.com.ar. IN TXT "v=spf1 a -all"

If you run tinydns (djbdns)

'holamundo.com.ar:v=spf1 a mx ip4\072200.110.130.206 ?all:3600
'mail.holamundo.com.ar:v=spf1 a -all:3600
'server.holamundo.com.ar:v=spf1 a -all:3600

If you run Windows DNS

Please see these instructions.

More options

If your site requires more complex configuration than this, you should read more about mechanisms. You should also review the tradeoffs involved in choosing an "all" default: see page 15 of the white paper.

You can test some pretend scenarios at one of the DNS tools. MTAs that reject mail because SPF tests failed will link to the why page.
horizontal line
Home Services Media Contributors Sitemap Contact Us
Copyright © 2004-2006, licensed under the GFDL.