SPF Records – Part 3 – Setting Up Your SPF Record
The final post on SPF records will cover creating a record for your domain. In previous posts I had mentioned that the SPF record for EricBrandel.com was the following:
v=spf1 a mx -all
Well, one problem with that: it’s wrong. Let’s look at some email header snippets to see what happens when I send an email to my Gmail and Yahoo accounts (email addresses modified to protect the innocent):
Gmail: Received-SPF: fail (google.com: domain of XXX@ericbrandel.com does not designate 220.127.116.11 as permitted sender) client-ip=18.104.22.168; Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of XXX@ericbrandel.com does not designate 22.214.171.124 as permitted sender)
Yahoo: Received-SPF: fail (domain of ericbrandel.com does not designate 126.96.36.199 as permitted sender)
So what happened? In the SPF record, the address (A) DNS record and the mail (MX) record are specified for approval, but all other hosts should fail (-all). But the A and MX records don’t match the IP address that the email is actually being sent from.
- Address (A) Record: 188.8.131.52
- Mail (MX) Record: 184.108.40.206
- Email was sent from: 220.127.116.11
- On a later test, email was sent from: 18.104.22.168
The issue I’m seeing here is what happens when you have a shared hosting solution. My domain name is hosted on a server cluster that also hosts a bunch of other sites. It will use a number of different outgoing email servers which all have different IP addresses. To accommodate this we can use an IP address range. It can be written in one of two ways:
v=spf1 a/20 mx -all v=spf1 ip:22.214.171.124/20 a mx -all
Both of those accomplish the same thing, they approve all host IP addresses from 126.96.36.199 to 188.8.131.52, and they’re both a little too verbose. Remember, the records are read from left to right, and each check requires an additional DNS lookup to your DNS servers. It’s best to make them as concise as possible. Thus, the new SPF record is:
v=spf1 a/20 -all
Now, that probably brings up a bunch of questions. First and foremost, how did I find that IP address range? Unfortunately, I had to ask my host for it. This isn’t typically a big issue for those using a dedicated server, or a more advanced virtual server solution. In most of those cases, your host will have a single dedicated IP address and the original SPF record would work perfectly. In cases where you have a number of IP addresses, and the basic SPF record isn’t working, it’s simple enough to see which IP address is actually the one that the emails are being sent from: send yourself an email and look at the email header. In Outlook you do this by opening the email and then selecting View->Options.
With the new SPF record in place, Gmail and Yahoo are now happy with email coming from EricBrandel.com:
Gmail: Received-SPF: pass (google.com: domain of XXX@ericbrandel.com designates 184.108.40.206 as permitted sender) client-ip=220.127.116.11; Authentication-Results: mx.google.com; spf=pass (google.com: domain of XXX@ericbrandel.com designates 18.104.22.168 as permitted sender)
Yahoo: Received-SPF: pass (domain of ericbrandel.com designates 22.214.171.124 as permitted sender)
And all is right with the world. In the final entry on SPF Records, I cover some online tools you can utilize to test your SPF records.
Very clear, thank you. Whether on a shared host or not, getting SPF records set up properly is the very first thing we ask clients to check. It’s often overlooked and is a lot easier to set up than DKIM, which is usually the next step.
Nicely written article Eric – I’ve been looking through hundreds of articles and your is exactly what I was looking for. Thanks