When working with SPF records to prevent spoofing, most customers use the default records created via the cPanel. You may, however, want to create a custom SPF record for your domain. These can be set through the Web Host Manger (WHM) on your VPS or Dedicated server account. Also, if you are on a shared account, you can either customize existing or create new SPF records using the Advanced DNS Zone editor. No matter how you decide to create it, you will need to understand the various settings to create a proper records. This article goes over the settings that can be in an SPF record so you can create one to fit your needs.

When creating a custom SPF record you want to be sure that you allow all the servers you need to send email and properly deal with any 'falsely sending' servers. This is done by using settings known as 'mechanisms'. Each mechanism uses a prefix in order to tell the receiving server how to deal with any sending server that qualifies for that mechanism.

Qualifiers

There are four qualifiers that can be used to determine how a mechanism handles an email. These qualifiers precede a mechanism and declare how any server that matches them is dealt with.

+ PassAllowed
- FailRejection
~ SoftFailAllowed, but marked
? NeutralAllowed

For example, a record that has '+a' will allow all IP addresses that match the a mechanism to pass through, while '-a' will fail all IP addresses that match the mechanism. As you can see, three out of the four will still allow an email through so it is important to use the right qualifier in front of your chosen mechanisms. What are the mechanisms? We are glad you asked! They are described below.

Mechanisms

There are several mechanisms you may want to include in your SPF record. Only include the mechanisms that are necessary and end the SPF record with the 'all' mechanism as it will catch all other servers that do not fall into the others.

The 'a' Mechanism

Syntax
a
a:<domain>
a/<prefix-length>
a:<domain>/<prefix-length>

This mechanism allows all IP addresses associated with the domain's a' records to send email. The IP must be an exact match unless a range is used.

Examples:
"v=spf1 a -all"
The current-domain is used. All IPs under the A records match.

"v=spf1 a:example.com -all"
This is equivalent to the above example if the current-domain is example.com.

"v=spf1 a:mail.example.com -all"
Useful if the domain has chosen to list all the outbound mailers in a special A record
under the name mail.example.com.

The 'all' Mechanism

Syntax
all

The 'all' mechanism is the catch-all setting that should be placed at the end of the SPF record. All servers will match this setting.

Examples:
"v=spf1 mx -all"
Allows a domain's MX records to send mail for the domain. All others will fail.

"v=spf1 -all"
This is used for domains that no mail whatsoever.

"v=spf1 +all"
Allows all domains to pass. NOT RECOMMENDED!

The 'exists' Mechanism

Syntax
exists:<domain>

This mechanism does a lookup for 'a' records for the domain named. All records that match that domain will match.

Examples:
"v=spf1 exists:example.com -all"
If example.com resolves this mechanism will pass. It will fail if the domain does not
resolve.

The 'includes' Mechanism

Syntax
include:<domain>

Domains listed in this mechanism will be searched for a match. If the lookup provides neither a match nor an error, it will continue to evaluate the next directive.

Examples:
"v=spf1 include:example.com, example2.com -all"
A records from either example.com or example2.com will match. Care must be used when
adding additional domains. If they have no SPF records themselves, this opens you up to
passing spoofed emails from those insecure domains.

The 'ip4' Mechanism

Syntax
ip4:<ip4-address<
ip4:<ip4-network-address</<prefix-length<

Any IP address listed for this mechanism will match. You can use individual IPs or IP ranges as well.

Examples:
"v=spf1 ip4:123.123.123.123 -all"
Only IP address 123.123.123.123 will mach.

"v=spf1 ip4:123.123.0.1/16 -all"
Allow any IP address between 123.123.0.1 and 123.123.255.255.

The 'ip6' Mechanism

Syntax
ip4:<ip6-address>
ip4:<ip6-network-address</<prefix-length>

Just like the ipv4 mechanism, any IP listed in this mechanism will match. It can also use either individual IPs or ranges.

Examples:
"v=spf1 ip6:1080::8:800:68.0.3.1/96 -all"
Allow any IPv6 address between 1080::8:800:0000:0000 and 1080::8:800:FFFF:FFFF.

The 'mx' Mechanism

Syntax
mx
mx/<prefix-length>
mx:<domain>
mx:<domain>/<prefix-length>

A lookup for all IPs used in the MX record settings is performed. If it matches any of the IPs in the MX record list, it will pass.

Examples:
"v=spf1 mx -all"
Allows all IP addresses for the MX records with the domain.

"v=spf1 mx mx:example2.com -all"
In this example a domain sends mail through its own MX servers plus other servers
for a second domain.

The 'ptr' Mechanism

Syntax
ptr ptr:<domain>

The Client IPs hostnames are checked with PTR lookups. If at least one of the hostnames match the original client IP, it will pass.

Examples:
"v=spf1 ptr -all"
A domain that controls all its servers allows them all to send mail.
One example may be hotmail.com

"v=spf1 ptr:example2.com -all"
Any server whose hostname ends in example2.com will pass.

Putting it all together

After evaluating the different mechanisms to decide what you need for your SPF record, you are ready to create it. Be sure to make it as small as possible. It is not necessary to more mechanisms involved than you need.

The SPF syntax must begin with the spf version. The currently most accepted and secure version is version 1. Begin your record syntax with the code below.

"v=spf1"

Next you will add any of the mechanisms you decide apply to your particular situation. Including +a, +mx, and +ip4:###.###.###.### will be sufficient for most setups. This is particularly true for those that use their hosting server to send email, as is our default here at Inmotion. Add them after the version. Keep in mind the record is evaluated left to right, so place the higher priority ones on the left.

"v=spf1 +a +mx +ip4:123.123.123.123"

Lastly, it is HIGHLY recommended to end the record with an 'all' mechanism. This handles any servers that have not yet passed any of the previous mechanisms in the list. To help prevent spoofing, it is also recommended to use the '-' qualifier to cause any check against this mechanism to be rejected with a hard fail.

"v=spf1 +a +mx +ip4:123.123.123.123 -all"

Once you have your syntax prepared, you can enter it in your DNS entries either with your WHM or the Advanced DNS Zone editor.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve this article:
Email Address
Name

new! - Enter your name and email address above and we will post your feedback in the comments on this page!

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Post a Comment

Name:
Email Address:
Phone Number:
Comment:
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

0 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!