Jump to content

SPF if you have your own mail server.


Recommended Posts

If you don't have your own mail server and domain this doesn't apply to you so you can skip it.

I have had my own domain, mail and web server, for many years now and lately the mail has become a bit frustrating as I'm getting more and more misdirected bounce messages. These come from spammers forging one of my e-mail addresses onto their spam making me look like the spammer. Not a big deal as I set up automatic filtering in my mail client to report them to spamcop.net and delete them but it is still aggravating to wait for 50-100 unwanted messages to download and delete.

What I did to reduce this is to add an SPF record to my DNS server, that has reduced the unwanted bounce messages to nearly nothing. SPF is a bit frustrating to add if you, like me use several places to send mail depending on where you are but want to get replies to your main e-mail account. I use my domain's server, my ISP's and Google's for sending which added a bit of complexity to my SPF information.

What I ended up with is pretty simple looking but took a while to create:

The DNS record:

"v=spf1 mx a include:cox.net include:_spf.google.com ?all"

What it looks like when you check it:

stan@p490:~> dig stanmiller.info TXT

; <<>> DiG 9.9.9-P1 <<>> stanmiller.info TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4250
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;stanmiller.info.               IN      TXT

stanmiller.info.        86400   IN      TXT     "v=spf1 mx a include:cox.net include:_spf.google.com ?all"

;; Query time: 124 msec
;; WHEN: Thu Sep 01 10:36:04 MST 2016
;; MSG SIZE  rcvd: 11

What each section means:

"v=spf1" is the record type that other mail servers use to find the rest of the information

"mx a" tells the other mail servers to accept mail from any system listed in my domain's DNS server as a mail exchanger

"include:cox.net include:_spf.google.com" this tells the mail server that these domains are also allowed to send mail for my domain. Note the Google entry, they use a sub-domain to list all of their servers, where cox.net just uses their normal domain.

"?all" is a two part entry, the ? tells the mail server that this record is "Neutral and that the SPF record specifies explicitly that nothing can be said about validity. All mail should be accepted. This is a safe default as if there is a typo or you use another server your mail should still get delivered.


The 'all' matches every server which isn't really what you want to end up with but a safe place to start testing and will stop almost all the bounces. At some point you'd want to change the "?" to either a "-" Fail or a "~" SoftFail so servers not on your list will be denied sending if the destination server is enforcing SPF.

This is the place to start if you want to do this too: http://www.openspf.org/Project_Overview

One big tip, set the record lifetime to five minutes / 300 seconds when working with it and once you are happy set it back to 24 hours / 86400 seconds or testing will take you days instead of a couple hours.



First rule of computer consulting:

Sell a customer a Linux computer and you'll eat for a day.

Sell a customer a Windows computer and you'll eat for a lifetime.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...