When working with SPF records to prevent spoofing, most customers use the default records created via the cPanel. You may, however, want to create a custom SPF record for your domain. These can be set through the WebHost Manger (WHM) on your VPS or Dedicated server account. Also, if you are on a shared account, you can either customize existing or create new SPF records using the Advanced DNS Zone editor. No matter how you decide to create it, you will need to understand the various settings to create a proper records. This article goes over the settings that can be in an SPF record so you can create one to fit your needs.
When creating a custom SPF record you want to be sure that you allow all the servers you need to send email and properly deal with any ‘falsely sending’ servers. This is done by using settings known as ‘mechanisms‘. Each mechanism uses a prefix in order to tell the receiving server how to deal with any sending server that qualifies for that mechanism.
There are four qualifiers that can be used to determine how a mechanism handles an email. These qualifiers precede a mechanism and declare how any server that matches them is dealt with.
|~||SoftFail||Allowed, but marked|
For example, a record that has
+a will allow all IP addresses that match the a mechanism to pass through, while
-a will fail all IP addresses that match the mechanism. As you can see, three out of the four will still allow an email through so it is important to use the right qualifier in front of your chosen mechanisms. What are the mechanisms? We are glad you asked! They are described below.
There are several mechanisms you may want to include in your SPF record. Only include the mechanisms that are necessary and end the SPF record with the
all mechanism as it will catch all other servers that do not fall into the others.
The ‘a’ Mechanism
a a:<domain> a/<prefix-length> a:<domain>/<prefix-length>
- This mechanism allows all IP addresses associated with the domain’s a‘ records to send email. The IP must be an exact match unless a range is used.
"v=spf1 a -all"– The current-domain is used. All IPs under the A records match.
"v=spf1 a:example.com -all"– This is equivalent to the above example if the current-domain is example.com.
"v=spf1 a:mail.example.com -all"– Useful if the domain has chosen to list all the outbound mailers in a special A record under the name mail.example.com.
The ‘all’ Mechanism
all mechanism is the catch-all setting that should be placed at the end of the SPF record. All servers will match this setting.
"v=spf1 mx -all"– Allows a domain’s MX records to send mail for the domain. All others will fail.
"v=spf1 -all"– This is used for domains that no mail whatsoever.
"v=spf1 +all"– Allows all domains to pass. NOT RECOMMENDED!
The ‘exists’ Mechanism
This mechanism does a lookup for
a records for the domain named. All records that match that domain will match.
"v=spf1 exists:example.com -all"– If example.com resolves this mechanism will pass. It will fail if the domain does not resolve.
The ‘includes’ Mechanism
Domains listed in this mechanism will be searched for a match. If the lookup provides neither a match nor an error, it will continue to evaluate the next directive.
"v=spf1 include:example.com, example2.com -all"– A records from either example.com or example2.com will match. Care must be used when adding additional domains. If they have no SPF records themselves, this opens you up to passing spoofed emails from those insecure domains.
The ‘ip4’ Mechanism
Any IP address listed for this mechanism will match. You can use individual IPs or IP ranges as well.
"v=spf1 ip4:22.214.171.124 -all"– Only IP address 126.96.36.199 will mach.
"v=spf1 ip4:188.8.131.52/16 -all"– Allow any IP address between 184.108.40.206 and 220.127.116.11.
The ‘ip6’ Mechanism
Just like the ipv4 mechanism, any IP listed in this mechanism will match. It can also use either individual IPs or ranges.
"v=spf1 ip6:1080::8:800:18.104.22.168/96 -all"– Allow any IPv6 address between 1080::8:800:0000:0000 and 1080::8:800:FFFF:FFFF.
The ‘mx’ Mechanism
mx mx/<prefix-length> mx:<domain> mx:<domain>/<prefix-length>
A lookup for all IPs used in the MX record settings is performed. If it matches any of the IPs in the MX record list, it will pass.
"v=spf1 mx -all"– Allows all IP addresses for the MX records with the domain.
"v=spf1 mx mx:example2.com -all"– In this example a domain sends mail through its own MX servers plus other servers for a second domain.
The ‘ptr’ Mechanism
The Client IPs hostnames are checked with PTR lookups. If at least one of the hostnames match the original client IP, it will pass.
"v=spf1 ptr -all"– A domain that controls all its servers allows them all to send mail. One example may be hotmail.com
"v=spf1 ptr:example2.com -all"– Any server whose hostname ends in example2.com will pass.
Putting It All Together
After evaluating the different mechanisms to decide what you need for your SPF record, you are ready to create it. Be sure to make it as small as possible. It is not necessary to more mechanisms involved than you need.
The SPF syntax must begin with the spf version. The currently most accepted and secure version is version 1. Begin your record syntax with the code below.
Next you will add any of the mechanisms you decide apply to your particular situation. Including +a, +mx, and +ip4:###.###.###.### will be sufficient for most setups. This is particularly true for those that use their hosting server to send email, as is our default here at InMotion. Add them after the version. Keep in mind the record is evaluated left to right, so place the higher priority ones on the left.
"v=spf1 +a +mx +ip4:22.214.171.124"
Lastly, it is HIGHLY recommended to end the record with an ‘all‘ mechanism. This handles any servers that have not yet passed any of the previous mechanisms in the list. To help prevent spoofing, it is also recommended to use the ‘-‘ qualifier to cause any check against this mechanism to be rejected with a hard fail.
"v=spf1 +a +mx +ip4:126.96.36.199 -all"
Once you have your syntax prepared, you can enter it in your DNS entries either with your WHM or the Advanced DNS Zone editor.