Where to put SPF record - dns

This may be a silly question but I have no knowledge of configuring domains and need some help. My situation is as follows:
I own a domain, let's say myexampledomain.com, bought from vendor A.
My website is physically hosted on the server B. My domain is configured to redirect to this server.
I also have an email account, let's say office at myexampledomain.com, bought from vendor C.
I want the website to send emails through my email account using SMTP, so as I understand I have to add a SPF record somewhere. And this is the question - where should I put a SPF record? Is my domain's configuration the right place? Isn't redirection a problem?
And the second question - is a SPF record like that enough?
v=spf1 a mx ip4:X.X.X.X a:mail.vendorc.com -all

1) You would change it with the vendor that provides DNS service for myexampledomain.com which could be any of your vendors. To find out, start with vendor A where you bought the domain name, you'll be able to see there if your DNS name servers have been set to one of the other vendors.
2) SPF is not required in order to send email. All other things being equal it may help with deliverability of your email since receivers have more to go on when determining if they should trust your server. It will also reduce the chance that someone else tries to use your domain name for spam.
3) Your example SPF is not unreasonable but there's not nearly enough info in your question to say if it is correct. You should probably start with vendor C and see what they say you should set your SPF record to, and then modify it to add any other servers that will be sending mail on your behalf.

Related

How can I point my domain from Godaddy to another web server without using # and losing email services?

I have access to a Godaddy account where the company has all their domains. One of those I need to point to another web server running Apache. The person that used to work here before me solved this pointing to the new server IP using the record:
A # the.ip.addr.ess 1 hour
and in the webserver end I get it with Apache and as far as the webserver goes, it runs flawlessly. I even have some subdomains using the same A record structure.
But...now I have two issues. First, I lost email reception. I can send via smtp and webmail but anything sent to my domain gets bounced back after 24 hours, even if sent to an alias or forwarder.
The second issue is that I need to verify the domain with Firebase and even thou I created the TXT record, it cannot be found by Google. I'm sure it's because of the same reason.
What can I do? I understand a little about DNS and records, but not enough for this. I just want all html traffic to reach my webserver as it is now and keep the emails and other domain services working as they were.
As contacting Godaddy support, they said it is not their purview as it is external. I think they just don't know. Go figure.
Are you using GoDaddys NameServers? If not and these are pointing elsewhere no matter what DNS records you set in GoDaddy won't be picked up during DNS lookips. This may explain why the TXT record verification is failing. However if this was true changing the A record wouldn'd disrupt DNS.
# just means the root domain so no subdomain/prefix, mydomain.com.
www is a common subdomain used so you could have an A record which like:
A www the.ip.addr.ess 1 hour
so www.mydomain.com would resolve to the.ip.addr.ess
MX records are used to direct emails to your mail server. Make sure this is pointing to the mail server. If it's pointing at your A record then updating the A record will disrupt this.
Set the MX record to point to the.ip.addr.ess rather then mydomain.com, or an A/CNAME record other then your root domain (which you are updating)
Other considerations may need to be taken, if you have an SPF record (TXT record) this may also need updating, depending on it's current value.
I finally found what I had to do. I needed an A record named 'mail' pointing to the original Godaddy server IP address.
A mail my.ip.add.ress. 1 hour
ThankĀ“s for all the help.

What is minus a in a spf record

I have a client that have a spf record i don't understand.
The record is like this:
"v=spf1 a:domain.tld -a:gmail.com -a:googlemail.com -ip4:xx1.yy1.zz1.xx -ip4:xx2.yy2.zz2.xx include:spf.mandrillapp.com include:servers.mcsv.net ?all"
I have changed the ip's to x y and z, but it is real ips and the domain i also real and not domain.tld.
What does the minus in -a: and -ip4: do? does it have a function or is it wrongly setup?
I would like to clean up - can I just remove them? They use mailchimp, so I will just keep the 2 includes.
The relevant bits of the RFC are 4.6.2 and 5.3. Roughly
- means 'fail', i.e. reject any sender that matches this rule
a: means 'all IP addresses that this hostname resolves to'
So the intention of the rule appears to be to prevent anyone using gmail to send email from this domain, presumably because they used Google G-Suite for email at one time but have then stopped.
However I don't think that will work: Google's SPF configuration is more complicated than that and uses 'include:' to pick up lists of addresses specified by Google. I'd be surprised if all of their mailservers hosted the gmail web app too. So my guess would be that this doesn't actually work as-is, and so can be safely deleted.
Ditto the -ipv4 means don't allow this IP address to send email for your customer's domain. Chances are that's OK to go too, but you should verify what the IP address represents e.g. starting with a WHOIS lookup to see who (or which ISP) it's registered to.

Gmail Email Client and SPF Records

I am in the process of migrating our staff's email client from Window's Live Mail to Gmail. I have gone through the process of connecting each staff's email from our domain to their respective Gmail accounts (so each staff has two valid email addresses, e.g. bob.our_domain#gmail.com and bob#our_domain.com). I am able to receive and send mail from the linked account, but emails sent from bob#our_domain.com are tagged with an alarming red question mark and read "Gmail could not verify that our_domain.com actually sent this message (and not a spammer) ". I understand that this is an error with SPF configuration but for the life of me cannot figure out what the correct configuration looks like.
The domain in questions is evergreensupplyonline.com.
Step 1 - Ensure SPF is enabled.
Our server is managed through cPanel, so I navigate to the authentication tab and enable both DKIM and SPF. The default SPF record is
v=spf1 +a +mx +ip4:166.62.38.87 ~all
Sending email with this configuration generates the error: SOFTFAIL with IP 208.109.80.60. Seems reasonable enough, the IP isn't listed and the ~all specifies a soft fail for unknown IPs (as far as I am aware)
Step 2 - Add the sender's IP to the SPF record
I add 208.109.80.60 to the record and my SPF record becomes
v=spf1 +a +mx +ip4:166.62.38.87 +ip4:208.109.80.60 ~all
Sending email with this configuration still generates a SOFTFAIL error but with a different IP (208.109.80.60). Based on this change I assume I won't be able to add a static IP for all of google's mail servers - not too much of a surprise.
Step 3 - Add Google's _spf domain
Following the instructions from https://support.google.com/a/answer/33786?hl=en
I removed 208.109.80.60 and instead include _spf.google.com domain. My SPF record now looks like
v=spf1 +a +mx +ip4:166.62.38.87 +include:_spf.google.com ~all
If I run my domain through https://toolbox.googleapps.com/apps/checkmx/ I get some some non-critical errors but everything relating to the _spf.google.com domain seems to check out. If I send an email with this configuration I still get a SOFTFAIL error.
I'm not sure where to go from here - I've tried all that my preliminary understanding of SPF will permit. Any suggestions, observations, or tricks are greatly welcomed. Cheers,
This does all look correct, apart from one thing. I looked up both the IPs you mentioned (using whois) and they belong to... GoDaddy, not Google, which entirely explains your problem. It's quite likely that GoDaddy is redirecting your outbound email traffic since they don't allow direct SMTP sending, so you may need to add GoDaddy's SPF as well, or move to a more enlightened hosting provider.
A minor thing: put the ip4 mechanism first as it's fastest to match for receivers (it requires no extra lookups), and you don't need the + qualifiers because that's the default action.

DNS record not found after testing

I am checking my website on mxtoolbox.com and getting some DNS errors. Two of those errors say "DNS Record not found". One has dmarc as category and the other is category spf.
My questions:
Does this hurt my website?
How do i go about fixing this?
My website is http://www.zilvertron.com
Thanks for your time!
No, neither of those things will directly hurt your website, though they may cause you problems with sending email if the recipients score harshly in any spam management application.
There is some info on DMARC here and some info about spf here They are both used to help validate that messages are 'allowed' to be send from your domain & hosts and that your domain is who it says it is.
If you wanted to fix/add the records you need to have a look in your dns providers control panel and see what options they support, and how to implement them. Spf is easy - it's just a text record, DMARC/DKIM requires a bit more setup.

Doubts about SPF record missing

I'm trying to add SPF records on my DNS zone. The SPF records are from mailjet (spf.mailjet.com), the domain is brazilian (.com.br hosted on uolhost) and my server is on DigitalOcean. When i try to add the TXT record, mailjet says "Your SPF record is missing".
I added this TXT (suggested by mailjet) on my DNS zone (at uolhost):
v=spf1 include:spf.mailjet.com ?all
But i have some questions about it (i'm really a beginner on this subjects).
The TXT should be on digital ocean, uolhost or both?
I really have to wait 48h?
The TXT above is correct?
Sorry for my bad english. I really appreciate any help.
First you should make it -all instead of ~all, the whole reason to set up authentication is to prevent people from spoofing your domain.
v=spf1 include:spf.mailjet.com -all
Where you're SPF record goes, depends on where the SPF record is being sent from, or the 5321.From Which is the "Return-Path", etc. Not the "FROM" line.
So view the headers of your email and look for the return path email address.
Whichever domain that is, is the place in DNS you will add the TXT record above, if you don't know how to see the headers of your email just send an email to mailtest#unlocktheinbox.com it will send you your header information on top of the report, just look for "Return-path". There is also an SPF Section, when you have it set up right it will show "PASSED".
BTW, if you have multiple SPF records (one of an email service provider and the other of mailjet); then instead of adding 2 TXT records, please use a single TXT record with a combination like below:
v=spf1 include:spf.mailjet.com include:spf.protection.outlook.com ~all
(since we use outlook email service, hence outlook in our case).

Resources