I am having issues with my SPF records and I am not very familiarized with that. I need to add 2 additionnals SPF records to my current SPF records. At first, I just created 2 others TXT records but it seems it's not correct. I can only have 1 SPF records.
So, i need your help, i need to merge together those 3 SPF records :
v=spf1 +a +mx +ip4:184.170.132.66 +ip4:184.107.73.236 ~all
MS=ms46042964
v=spf1 a mx include:freshbooks.com -all
The first one is from my hosting provider, the second one is for my Office 365 (my emails are managed with office exchange online) and the third one is for preventing that the invoices sent by freshbooks don't go in the junk of my clients.
Any help is appreciated, thank you very much!
Jean-Philippe
First, you probably want to look at a resource like this one: SPF Introduction. Once you've got an understanding of what SPF does and what a valid record looks like, try deleting the other 2 existing records and updating 1, for example:
v=spf1 +a +mx +ip4:184.170.132.66 +ip4:184.107.73.236 MS=ms46042964 include:freshbooks.com ~all
Then use an SPF validation tool to check the record. You're likely going to run into a "Too many DNS lookups" error though, which means you'll need to pare down the record to include only the information you absolutely need. See this post for more insight. And this is a good tool to see exactly where the record is exploding.
A few years late...
But MS=ms46042964 is not part of an SPF, this is a Office 365 validation token, and should not be included in an SPF record, this will cause an error, both for MS doing the validation and performing a SPF test.
Also since you are switching to Office 365, you can remove the SPF from your hosting provider as you will not be using their email hosting. So the only SPF you would need is Office 365's.
Related
I'm inheriting a site that came with multiple SPF records in multiple TXT records (which all of my searching up until this point has informed me is about as invalid as you can get).
Here are the records I'm working with:
Record 1: v=spf1 include:servers.mcsv.net ?all
Record 2: v=spf1 include:zoho.com ~all
Record 1 appears to be a Mailchimp record. I'm not sure if the client is using Mailchimp or not. Record 2 is obviously from Zoho, but I know for sure the client is using Zoho. Ideally, I'd like to combine these two records into one.
Both records provide a slightly different all value. Record 1 gives me ?all, and Record 2 gives me ~all. If I understand the syntax correctly, ~all should be slightly more restrictive than ?all, and I can have only one all value, which must come last in the record.
If they had the exact same all value, I could just do something like this:
v=spf1 include:servers.mcsv.net include:zoho.com ?all
If I combine the records, I'm not sure which all value I should use or why. If I set one record to start with v=spf2, I'm not sure the service will verify the record. I've been searching and haven't found any resources that touch on combining multiple SPF records that have different all values. What should I do here?
Thanks
An appropriate combination of these two would be:
v=spf1 include:servers.mcsv.net include:zoho.com ~all
?all is essentially useless - it's pretty much equivalent to not having an SPF record at all.
That's not all though - this record looks incomplete. Unless you domain only sends from mailchimp and zoho, all other mail will get a softfail response, so if you send "normal" mail from this domain using its own mail server, you probably want to add at least mx, and if you send any mail directly from the domain's web site, you would want an a mechanism too, giving:
v=spf1 mx a include:servers.mcsv.net include:zoho.com ~all
DMARC is an important factor, as #lgc_ustc said. If you're not using DMARC, I would recommend setting -all as your default mechanism to get maximum benefit from SPF, but if you are using DMARC, leave it as ~all. This is because some SPF checkers encountering a -all will reject messages immediately, rather than letting them be passed on to the DMARC layer, where a sender can be told what to do with a rejected message.
If I set one record to start with v=spf2, I'm not sure the service will verify the record.
There can be only one SPF record on any domain. If more than one SPF record are set, SPF will return PermError. See: RFC 7208
Also, all SPF records must start with "v=spf1", everything else is invalid.
?all means neutral in SPF. SPF neutral can be interpreted in DMARC as either pass or fail, depending on how you set up DMARC on your email server. This is normally controlled by a flag in your DMARC setup, and it varies across DMARC packages. If you use OpenDMARC by Trusted Domain, SPF neutral is interpreted in DMARC as fail by default.
~all means softfail in SPF. SPF softfail is a weak statement that the host is probably not authorized. The domain has not published a stronger, more definitive policy that results in a "fail". This is typically implemented by appending a ~all mechanism to an SPF record. When this mechanism is evaluated, any IP address will cause SPF to return a softfail result.
Like neutral, SPF softfail can be interpreted in DMARC as either pass or fail, depending on how you set up DMARC on your email server. In OpenDMARC, SPF softfail is interpreted in DMARC as fail by default.
Learn more in this post: Why SPF Authentication Fails: none, neutral, fail(hard fail), soft fail, temperror, and permerror Explained
I'm using Zoho mail with my domain name. I also use an SMTP service with my domain name to send newsletters.
In order for Zoho to work properly I am required to add an spf record to my domain DNS. The SMTP service also requires my to add spf record.
My question is can I add multiple spf record to a domain name? If not is it possible to somehow combine the two?
These are the recorde I need to use:
v=spf1 include:zoho.com ~all
v=spf1 mx a ip4:91.82.206.0/24 ip4:91.83.103.0/24 ~all
Any help is appreciated.
You can't have two, but you can combine them, like this:
v=spf1 ip4:91.82.206.0/24 ip4:91.83.103.0/24 mx a include:zoho.com ~all
It's best practice to put literal IPs first as they are the fastest for receivers to check.
No, you can't have multiple SPF records on a single domain. Otherwise, SPF will return PermError.
An SPF record is a TXT record in the DNS starting exactly with "v=spf1", followed by an array of mechanisms and/or modifiers.
An SPF check starts by fetching all TXT records starting exactly with "v=spf1" on a domain:
if no such record is found, it returns None;
if multiple such records are found, it returns PermError.
You would need to add all the mechanisms in 1 SPF record, as mentioned by Synchro.
Learn more here: https://dmarcly.com/blog/can-i-have-multiple-spf-records-on-my-domain
I'm trying to add SPF records on my DNS zone. The SPF records are from mailjet (spf.mailjet.com), the domain is brazilian (.com.br hosted on uolhost) and my server is on DigitalOcean. When i try to add the TXT record, mailjet says "Your SPF record is missing".
I added this TXT (suggested by mailjet) on my DNS zone (at uolhost):
v=spf1 include:spf.mailjet.com ?all
But i have some questions about it (i'm really a beginner on this subjects).
The TXT should be on digital ocean, uolhost or both?
I really have to wait 48h?
The TXT above is correct?
Sorry for my bad english. I really appreciate any help.
First you should make it -all instead of ~all, the whole reason to set up authentication is to prevent people from spoofing your domain.
v=spf1 include:spf.mailjet.com -all
Where you're SPF record goes, depends on where the SPF record is being sent from, or the 5321.From Which is the "Return-Path", etc. Not the "FROM" line.
So view the headers of your email and look for the return path email address.
Whichever domain that is, is the place in DNS you will add the TXT record above, if you don't know how to see the headers of your email just send an email to mailtest#unlocktheinbox.com it will send you your header information on top of the report, just look for "Return-path". There is also an SPF Section, when you have it set up right it will show "PASSED".
BTW, if you have multiple SPF records (one of an email service provider and the other of mailjet); then instead of adding 2 TXT records, please use a single TXT record with a combination like below:
v=spf1 include:spf.mailjet.com include:spf.protection.outlook.com ~all
(since we use outlook email service, hence outlook in our case).
ProtonMail has rolled out support for receiving mail from custom domains, and I'm adding the necessary records to my project's Cloud DNS settings from within Google Cloud Platform. I added the MX and SPF records, and they checked out, but when I try to add the DKIM records I get a "Not Properly Set" error from ProtonMail's end. I followed the same format, putting protonmail._domainkey in the hostname, adding it as a TXT record, and including v=DKIM1; k=rsa; p=... in the record value.
ProtonMail technical support wasn't very helpful, replying with a "we don't see your TXT DKIM records, please ensure they are being properly propagated" response.
I can provide the other records I've set if anyone thinks it would be helpful.
Your DKIM record may need to be wrapped in quotes.
Try:
"v=DKIM1; k=rsa; p=..."
I had the exact same issue with DKIM on protonmail. Protonmail support suggested verifying the records via mxtoolbox.com. Since I could see that my TXT record wasn't showing up as I had written it, I emailed my domain provider for help. They added quotes to the TXT record, and then I could see the record properly on mxtoolbox.com.
Are you able to retrieve your DKIM record with this tool:
http://mxtoolbox.com/dkim.aspx
Enclosing your DKIM TXT entry in quotes may solve the issue. Many DKIM libraries have issues with spaces after the semicolons.
Did you attempt to use a key larger than 1024 bits?
If you provide the domain name that your are having an issue with, I will look at the DKIM information in the zone.
We use gmail together with our own domain since 3 years and configured it once right, everything worked fine. Mostly.
But recently, some mails (< 2%) will sometimes being rejected of the destination mail server because of SPF-Issues:
Technical details of permanent failure: Google tried to deliver your
message, but it was rejected by the server for the recipient domain
xxxxxx.de by xxxxxxx.de. [xx.xxx.xxx.xxx].
The error that the other server returned was: 550 xxx.xxxx.xxx.xxxx is not
allowed to send mail from xxxxxx.com
This is the SPF-Record we have configured as TXT Record in DNS:
v=spf1 +a +mx -all
Is there something wrong? Last document changes in googles docs are speaking about slightly different settings:
v=spf1 include:_spf.google.com ~all
Instead of blind changes without any understanding around the more detailled topic i want to ask around, if our spf-record could be outdated or completely wrong?
Assuming you're only using Google Apps for Work to send email then yes - your SPF record is wrong. The correct SPF record for this case is:
v=spf1 include:_spf.google.com ~all
If you are also sending emails from your web server directly or from other third party services you will likely need to add additional directives to your SPF record.