I'm trying to add SPF records on my DNS zone. The SPF records are from mailjet (spf.mailjet.com), the domain is brazilian (.com.br hosted on uolhost) and my server is on DigitalOcean. When i try to add the TXT record, mailjet says "Your SPF record is missing".
I added this TXT (suggested by mailjet) on my DNS zone (at uolhost):
v=spf1 include:spf.mailjet.com ?all
But i have some questions about it (i'm really a beginner on this subjects).
The TXT should be on digital ocean, uolhost or both?
I really have to wait 48h?
The TXT above is correct?
Sorry for my bad english. I really appreciate any help.
First you should make it -all instead of ~all, the whole reason to set up authentication is to prevent people from spoofing your domain.
v=spf1 include:spf.mailjet.com -all
Where you're SPF record goes, depends on where the SPF record is being sent from, or the 5321.From Which is the "Return-Path", etc. Not the "FROM" line.
So view the headers of your email and look for the return path email address.
Whichever domain that is, is the place in DNS you will add the TXT record above, if you don't know how to see the headers of your email just send an email to mailtest#unlocktheinbox.com it will send you your header information on top of the report, just look for "Return-path". There is also an SPF Section, when you have it set up right it will show "PASSED".
BTW, if you have multiple SPF records (one of an email service provider and the other of mailjet); then instead of adding 2 TXT records, please use a single TXT record with a combination like below:
v=spf1 include:spf.mailjet.com include:spf.protection.outlook.com ~all
(since we use outlook email service, hence outlook in our case).
Related
I have a forwarding domain (forwardingdomain.org > actual-website.org) for which I have email forwarders set up. To reduce spamming/spoofing of my email forwarders, I would like to set up a correct SPF TXT record in the domain’s DNS.
I have an SPF TXT record set up in the DNS, however, recently I’ve received scam/ransomware/spam emails that appear to be coming from email forwarders of the forwarding domain. So, that SPF record may not be working. I’ve successfully set up SPF TXT record for domains that have a website associated with them (i.e., I can use a server IP in the SPF record). For this domain, however, since it’s forwarding, it’s not clear what IP I should use.
Here’s the current SPF record (I don’t remember adding this myself; it may have gotten generated by itself):
Type: TXT
Host: #
Value: v=spf1 a mx include:sendgrid.net ~all
Expected result: No more scam/spam/ransomware emails should be coming in that appear as if they were sent from my email forwarders.
Actual result: Scam/spam/ransomware emails are coming in, appearing to be sent from my email forwarders.
Firstly I would recommend adding an include mechanism to pull in IPs from your forwarding domain.
Next, you have a ~all default mechanism, which means that forged messages will not be rejected, just marked as non-compliant (softfail). This is the correct setting if you are still testing your configuration or you are using DMARC.
With DMARC, the softfail can be turned into a full rejection, and this is generally considered better than using -all because it retains DMARC’s other semantics.
I am in the process of migrating our staff's email client from Window's Live Mail to Gmail. I have gone through the process of connecting each staff's email from our domain to their respective Gmail accounts (so each staff has two valid email addresses, e.g. bob.our_domain#gmail.com and bob#our_domain.com). I am able to receive and send mail from the linked account, but emails sent from bob#our_domain.com are tagged with an alarming red question mark and read "Gmail could not verify that our_domain.com actually sent this message (and not a spammer) ". I understand that this is an error with SPF configuration but for the life of me cannot figure out what the correct configuration looks like.
The domain in questions is evergreensupplyonline.com.
Step 1 - Ensure SPF is enabled.
Our server is managed through cPanel, so I navigate to the authentication tab and enable both DKIM and SPF. The default SPF record is
v=spf1 +a +mx +ip4:166.62.38.87 ~all
Sending email with this configuration generates the error: SOFTFAIL with IP 208.109.80.60. Seems reasonable enough, the IP isn't listed and the ~all specifies a soft fail for unknown IPs (as far as I am aware)
Step 2 - Add the sender's IP to the SPF record
I add 208.109.80.60 to the record and my SPF record becomes
v=spf1 +a +mx +ip4:166.62.38.87 +ip4:208.109.80.60 ~all
Sending email with this configuration still generates a SOFTFAIL error but with a different IP (208.109.80.60). Based on this change I assume I won't be able to add a static IP for all of google's mail servers - not too much of a surprise.
Step 3 - Add Google's _spf domain
Following the instructions from https://support.google.com/a/answer/33786?hl=en
I removed 208.109.80.60 and instead include _spf.google.com domain. My SPF record now looks like
v=spf1 +a +mx +ip4:166.62.38.87 +include:_spf.google.com ~all
If I run my domain through https://toolbox.googleapps.com/apps/checkmx/ I get some some non-critical errors but everything relating to the _spf.google.com domain seems to check out. If I send an email with this configuration I still get a SOFTFAIL error.
I'm not sure where to go from here - I've tried all that my preliminary understanding of SPF will permit. Any suggestions, observations, or tricks are greatly welcomed. Cheers,
This does all look correct, apart from one thing. I looked up both the IPs you mentioned (using whois) and they belong to... GoDaddy, not Google, which entirely explains your problem. It's quite likely that GoDaddy is redirecting your outbound email traffic since they don't allow direct SMTP sending, so you may need to add GoDaddy's SPF as well, or move to a more enlightened hosting provider.
A minor thing: put the ip4 mechanism first as it's fastest to match for receivers (it requires no extra lookups), and you don't need the + qualifiers because that's the default action.
I'm using Zoho mail with my domain name. I also use an SMTP service with my domain name to send newsletters.
In order for Zoho to work properly I am required to add an spf record to my domain DNS. The SMTP service also requires my to add spf record.
My question is can I add multiple spf record to a domain name? If not is it possible to somehow combine the two?
These are the recorde I need to use:
v=spf1 include:zoho.com ~all
v=spf1 mx a ip4:91.82.206.0/24 ip4:91.83.103.0/24 ~all
Any help is appreciated.
You can't have two, but you can combine them, like this:
v=spf1 ip4:91.82.206.0/24 ip4:91.83.103.0/24 mx a include:zoho.com ~all
It's best practice to put literal IPs first as they are the fastest for receivers to check.
No, you can't have multiple SPF records on a single domain. Otherwise, SPF will return PermError.
An SPF record is a TXT record in the DNS starting exactly with "v=spf1", followed by an array of mechanisms and/or modifiers.
An SPF check starts by fetching all TXT records starting exactly with "v=spf1" on a domain:
if no such record is found, it returns None;
if multiple such records are found, it returns PermError.
You would need to add all the mechanisms in 1 SPF record, as mentioned by Synchro.
Learn more here: https://dmarcly.com/blog/can-i-have-multiple-spf-records-on-my-domain
I'm running my domain on two servers (primary server and blog server) and I manage my mails with Google Apps for business (MX records correctly set).
However, I want to send emails from both servers (primary is a send-only EXIM4 server) and they should not be marked as spam. Therefore I want to set a correct SPF record, but Google keeps telling me that spf=neutral instead of spf=positive.
My current SPF records looks as follows:
v=spf1 ip4:<blog IP> ip4:<primary IP> include:_spf.google.com ~all
What do I have to change in order to get my mails through spam detection?
Thanks
Figured it out.
The record was okay, but I had to create a TXT record with the content above. Not a SPF record, which is weird. But so is technology.
I'm setting it as: v=spf1 a mx ip4:xx.xxx.xx.xxx a -mx -all
it's right?
Thanks.
How you should configure your SPF record depends on what servers you want to allow to send emails on your behalf. However, your example SPF record contains a contradition. You are specifying both mx and -mx, meaning you want to both pass and fail if the IP matches an IP address found in the domain's MX records. You should remove whichever mechanism does not apply.
Without knowing your exact needs it's hard to say exactly what SPF configuration you should use but if I had to take a shot in the dark I would say this is probably a safe bet:
v=spf1 mx a ip4:xx.xxx.xx.xxx ?all
This will pass an email originating form any IP that your domain has an a or mx record for as well as IP address xx.xxx.xx.xxx. It will apply a status of neutral to all others using the ?all mechanism. This allows spam filters more latitude to determine the validity of the email as opposed to a hard fail (-all).
Here are a couple of resource that I think will help you.
SPF Mehanisms Explained
SPF Wizard