I'm using Zoho mail with my domain name. I also use an SMTP service with my domain name to send newsletters.
In order for Zoho to work properly I am required to add an spf record to my domain DNS. The SMTP service also requires my to add spf record.
My question is can I add multiple spf record to a domain name? If not is it possible to somehow combine the two?
These are the recorde I need to use:
v=spf1 include:zoho.com ~all
v=spf1 mx a ip4:91.82.206.0/24 ip4:91.83.103.0/24 ~all
Any help is appreciated.
You can't have two, but you can combine them, like this:
v=spf1 ip4:91.82.206.0/24 ip4:91.83.103.0/24 mx a include:zoho.com ~all
It's best practice to put literal IPs first as they are the fastest for receivers to check.
No, you can't have multiple SPF records on a single domain. Otherwise, SPF will return PermError.
An SPF record is a TXT record in the DNS starting exactly with "v=spf1", followed by an array of mechanisms and/or modifiers.
An SPF check starts by fetching all TXT records starting exactly with "v=spf1" on a domain:
if no such record is found, it returns None;
if multiple such records are found, it returns PermError.
You would need to add all the mechanisms in 1 SPF record, as mentioned by Synchro.
Learn more here: https://dmarcly.com/blog/can-i-have-multiple-spf-records-on-my-domain
Related
I'm inheriting a site that came with multiple SPF records in multiple TXT records (which all of my searching up until this point has informed me is about as invalid as you can get).
Here are the records I'm working with:
Record 1: v=spf1 include:servers.mcsv.net ?all
Record 2: v=spf1 include:zoho.com ~all
Record 1 appears to be a Mailchimp record. I'm not sure if the client is using Mailchimp or not. Record 2 is obviously from Zoho, but I know for sure the client is using Zoho. Ideally, I'd like to combine these two records into one.
Both records provide a slightly different all value. Record 1 gives me ?all, and Record 2 gives me ~all. If I understand the syntax correctly, ~all should be slightly more restrictive than ?all, and I can have only one all value, which must come last in the record.
If they had the exact same all value, I could just do something like this:
v=spf1 include:servers.mcsv.net include:zoho.com ?all
If I combine the records, I'm not sure which all value I should use or why. If I set one record to start with v=spf2, I'm not sure the service will verify the record. I've been searching and haven't found any resources that touch on combining multiple SPF records that have different all values. What should I do here?
Thanks
An appropriate combination of these two would be:
v=spf1 include:servers.mcsv.net include:zoho.com ~all
?all is essentially useless - it's pretty much equivalent to not having an SPF record at all.
That's not all though - this record looks incomplete. Unless you domain only sends from mailchimp and zoho, all other mail will get a softfail response, so if you send "normal" mail from this domain using its own mail server, you probably want to add at least mx, and if you send any mail directly from the domain's web site, you would want an a mechanism too, giving:
v=spf1 mx a include:servers.mcsv.net include:zoho.com ~all
DMARC is an important factor, as #lgc_ustc said. If you're not using DMARC, I would recommend setting -all as your default mechanism to get maximum benefit from SPF, but if you are using DMARC, leave it as ~all. This is because some SPF checkers encountering a -all will reject messages immediately, rather than letting them be passed on to the DMARC layer, where a sender can be told what to do with a rejected message.
If I set one record to start with v=spf2, I'm not sure the service will verify the record.
There can be only one SPF record on any domain. If more than one SPF record are set, SPF will return PermError. See: RFC 7208
Also, all SPF records must start with "v=spf1", everything else is invalid.
?all means neutral in SPF. SPF neutral can be interpreted in DMARC as either pass or fail, depending on how you set up DMARC on your email server. This is normally controlled by a flag in your DMARC setup, and it varies across DMARC packages. If you use OpenDMARC by Trusted Domain, SPF neutral is interpreted in DMARC as fail by default.
~all means softfail in SPF. SPF softfail is a weak statement that the host is probably not authorized. The domain has not published a stronger, more definitive policy that results in a "fail". This is typically implemented by appending a ~all mechanism to an SPF record. When this mechanism is evaluated, any IP address will cause SPF to return a softfail result.
Like neutral, SPF softfail can be interpreted in DMARC as either pass or fail, depending on how you set up DMARC on your email server. In OpenDMARC, SPF softfail is interpreted in DMARC as fail by default.
Learn more in this post: Why SPF Authentication Fails: none, neutral, fail(hard fail), soft fail, temperror, and permerror Explained
As you all may know, only one SPF record should be set up in the DNS records. My question however is if this also applies to other subdomains.
For example, I send emails through AWS and the given SPF record is"v=spf1 include:amazonses.com ~all" # noreply. But I also use Protonmail with the same domain and the SPF record given there is "v=spf1 include:_spf.protonmail.ch mx ~all" # root.
Not only is the subdomain different, but the protonmail record has a 'mx' in it too.
How am I exactly supposed to put this in my DNS?
You can quite happily have separate SPF policies for subdomains - the SPF at example.com can be different from one at mail.example.com. The contents of those records can be independent too, and there is no reason why the MX for mail.example.com can't be the same as for domain.com - in fact it is assumed to be unless you specify otherwise.
That said, it's not clear that you're needing subdomains at all, but simply to combine SPFs covering different sources for the same domain, for example the 2 examples you give could be combined as:
v=spf1 mx include:_spf.protonmail.ch include:amazonses.com ~all
The local part of the address (to the left of the #, like root#example.com or noreply#example.com) does not figure in SPF checks, so it's irrelevant.
If that's not what you meant, please expand your question.
I'm trying to add SPF records on my DNS zone. The SPF records are from mailjet (spf.mailjet.com), the domain is brazilian (.com.br hosted on uolhost) and my server is on DigitalOcean. When i try to add the TXT record, mailjet says "Your SPF record is missing".
I added this TXT (suggested by mailjet) on my DNS zone (at uolhost):
v=spf1 include:spf.mailjet.com ?all
But i have some questions about it (i'm really a beginner on this subjects).
The TXT should be on digital ocean, uolhost or both?
I really have to wait 48h?
The TXT above is correct?
Sorry for my bad english. I really appreciate any help.
First you should make it -all instead of ~all, the whole reason to set up authentication is to prevent people from spoofing your domain.
v=spf1 include:spf.mailjet.com -all
Where you're SPF record goes, depends on where the SPF record is being sent from, or the 5321.From Which is the "Return-Path", etc. Not the "FROM" line.
So view the headers of your email and look for the return path email address.
Whichever domain that is, is the place in DNS you will add the TXT record above, if you don't know how to see the headers of your email just send an email to mailtest#unlocktheinbox.com it will send you your header information on top of the report, just look for "Return-path". There is also an SPF Section, when you have it set up right it will show "PASSED".
BTW, if you have multiple SPF records (one of an email service provider and the other of mailjet); then instead of adding 2 TXT records, please use a single TXT record with a combination like below:
v=spf1 include:spf.mailjet.com include:spf.protection.outlook.com ~all
(since we use outlook email service, hence outlook in our case).
I am having issues with my SPF records and I am not very familiarized with that. I need to add 2 additionnals SPF records to my current SPF records. At first, I just created 2 others TXT records but it seems it's not correct. I can only have 1 SPF records.
So, i need your help, i need to merge together those 3 SPF records :
v=spf1 +a +mx +ip4:184.170.132.66 +ip4:184.107.73.236 ~all
MS=ms46042964
v=spf1 a mx include:freshbooks.com -all
The first one is from my hosting provider, the second one is for my Office 365 (my emails are managed with office exchange online) and the third one is for preventing that the invoices sent by freshbooks don't go in the junk of my clients.
Any help is appreciated, thank you very much!
Jean-Philippe
First, you probably want to look at a resource like this one: SPF Introduction. Once you've got an understanding of what SPF does and what a valid record looks like, try deleting the other 2 existing records and updating 1, for example:
v=spf1 +a +mx +ip4:184.170.132.66 +ip4:184.107.73.236 MS=ms46042964 include:freshbooks.com ~all
Then use an SPF validation tool to check the record. You're likely going to run into a "Too many DNS lookups" error though, which means you'll need to pare down the record to include only the information you absolutely need. See this post for more insight. And this is a good tool to see exactly where the record is exploding.
A few years late...
But MS=ms46042964 is not part of an SPF, this is a Office 365 validation token, and should not be included in an SPF record, this will cause an error, both for MS doing the validation and performing a SPF test.
Also since you are switching to Office 365, you can remove the SPF from your hosting provider as you will not be using their email hosting. So the only SPF you would need is Office 365's.
I'm setting it as: v=spf1 a mx ip4:xx.xxx.xx.xxx a -mx -all
it's right?
Thanks.
How you should configure your SPF record depends on what servers you want to allow to send emails on your behalf. However, your example SPF record contains a contradition. You are specifying both mx and -mx, meaning you want to both pass and fail if the IP matches an IP address found in the domain's MX records. You should remove whichever mechanism does not apply.
Without knowing your exact needs it's hard to say exactly what SPF configuration you should use but if I had to take a shot in the dark I would say this is probably a safe bet:
v=spf1 mx a ip4:xx.xxx.xx.xxx ?all
This will pass an email originating form any IP that your domain has an a or mx record for as well as IP address xx.xxx.xx.xxx. It will apply a status of neutral to all others using the ?all mechanism. This allows spam filters more latitude to determine the validity of the email as opposed to a hard fail (-all).
Here are a couple of resource that I think will help you.
SPF Mehanisms Explained
SPF Wizard