Tiny SPF logo, depicts checking of envelope from
The SPF Setup Wizard
FAQDownloadsSitemapContact Us
How it WorksNews What it Does ServicesForums
bar with right arrows

Most domains send outbound mail through a relatively small number of servers. Domains should describe that set of servers in an SPF record in their DNS. Internet email receivers can then reject forged messages which don't come from an envelope sender domain's approved servers. This wizard helps domain owners identify all the servers which could be expected to send mail from their domain.

Let's set up SPF records for
petrolprices.com's IP address is 87.124.84.111.
Does that server send mail from petrolprices.com? 		[a]
yes no
This wizard found 14 names for the MX servers for petrolprices.com: gy-in-f27.1e100.net, aspmx5.googlemail.com, alt1.aspmx.l.google.com, bw-in-f27.1e100.net, gx-in-f27.1e100.net, qy-in-f27.1e100.net, aspmx2.googlemail.com, iw-in-f27.1e100.net, aspmx.l.google.com, pv-in-f27.1e100.net, aspmx3.googlemail.com, aspmx4.googlemail.com, ww-in-f27.1e100.net, and alt2.aspmx.l.google.com. (A single machine may go by more than one hostname. All of them are shown.)
MX servers receive mail for petrolprices.com.
Do they also send mail from petrolprices.com? 		[mx]
yes no
Do you want to just approve any host
whose name ends in petrolprices.com? (Expensive, unreliable and not recommended) 		[ptr]
yes no

Do any other servers send mail from petrolprices.com?

You can describe them by giving "arguments" to the a:, mx:, ip4:, and ptr: mechanisms. mx: takes domain names and approves all the MX servers of these domains. To keep the wizard short we left out ptr:, but it works analogously.

 [a:]
[mx:]

IP networks can be entered using CIDR notation, eg. 192.0.2.0/24 		[ip4:]
Could mail from petrolprices.com originate through
servers belonging to some other domain?
If you send mail through your ISP's servers, and the ISP has published an SPF record, name the ISP here. 		[include:]
Do the above lines describe all the hosts
that send mail from petrolprices.com? 		[~all]
yes no
petrolprices.com. IN TXT

The SPF record:

v=spf1 ip4:87.124.0.0/15 include:aspmx.googlemail.com a:mail.notify-customer.com -all

can be explained as:

[v=spf1] v=spf1This identifies the TXT record as an SPF string.
[ip4:] ip4:87.124.0.0/15 Every host in the range 87.124.0.0-87.125.255.255 is allowed to send mail from petrolprices.com.
[include:] include:aspmx.googlemail.com Any server allowed to send mail from aspmx.googlemail.com is also allowed to send mail from petrolprices.com.
[a:] a:mail.notify-customer.com mail.notify-customer.com is also allowed to send mail from petrolprices.com.
[all] -all No other servers are allowed to send mail from petrolprices.com.
This is a good default for sites particularly concerned about forgery.

You need to transfer these records to your DNS server by yourself. No changes can be made by the wizard, it can only provide you with the data that needs to be entered into your DNS server.

If you run BIND

Paste this into your zone file: 
petrolprices.com. IN TXT "v=spf1 ip4:87.124.0.0/15 include:aspmx.googlemail.com a:mail.notify-customer.com -all"

If you run tinydns (djbdns)

'petrolprices.com:v=spf1 ip4\07287.124.0.0/15 include\072aspmx.googlemail.com a\072mail.notify-customer.com -all:3600

If you run Windows DNS

Please see these instructions.

More options

If your site requires more complex configuration than this, you should read more about mechanisms. You should also review the tradeoffs involved in choosing an "all" default: see page 15 of the white paper.

You can test some pretend scenarios at one of the DNS tools. MTAs that reject mail because SPF tests failed will link to the why page.
horizontal line
Home Services Media Contributors Sitemap Contact Us
Copyright © 2004-2006, licensed under the GFDL.