I need to create SPF records for my site for emails. I've created the following 4 entries:
I know from reading I should use the following 2 entries for Amazon:
"v=spf1 include:amazonses.com ?all"
"spf2.0/pra include:amazonses.com ?all"
Question:
- should I create 4 entries - 2 TXT and 2 SPF?
- I've named them spf1 and spf2 - is this ok? (I can't use TXT with no name as I'm already using this for another entry.
- Any other advise on how to setup these entries?
Domain: www.tradies.dating
thanks
Adam
In practice, neither of these records are necessary. Here's why:
The two records you've listed are SPF (v=spf1) and Sender-ID (spf2.0/pra). The latter protocol, Sender-ID, is now obsolete and this record is not required.
SPF works off the 'mfrom' address - that's the Return Path address. Amazon SES uses amazonses.com in the Return Path, meaning that receivers won't even check the SPF record you're creating. So it is not necessary to add it to the SPF record for your domain.
What you need to do is set up DKIM. Authenticating email from Amazon SES requires the use of Amazon's Easy DKIM system (http://docs.aws.amazon.com/ses/latest/DeveloperGuide/easy-dkim.html) .
You cannot have more than one SPF record, and naming them SPF1 and SPF2 will not work.
You should combine them into one string. https://serverfault.com/questions/586008/multiple-spf-records-for-multiple-domains shows how to do this.
Related
Using G-suite email and DNS configuration for MX records in Route53, I'm blocked on how I can solve this error:
Multiple SPF records may cause delivery and spam classification
issues. v=spf1 include:_spf.google.com ~all v=spf1
include:transmail.net ~all
Route53 only allow a single TXT record for SPF information. Route53 does allow you to use new lines for additional SFP information.
However, when running the G-Suite check, I get the error quoted above and some clients are seeing our emails as SPAM.
Is there a solution to this?
You should have one SPF record for your domain, but you can have multiple include directives in the SPF record. You might want to try something like this:
v=spf1 include:_spf.google.com include:transmail.net ~all
The only way I was able to fix this was to proxy the DNS records in Cloudflare which allows an SPF record per line.
A domain MUST NOT have multiple SPF records, SPF fails with PermError otherwise.
An SPF record is a TXT record in the DNS starting exactly with "v=spf1", followed by an array of mechanisms and/or modifiers.
An SPF check starts by fetching all TXT records starting exactly with "v=spf1" on a domain:
if no such record is found, it returns None;
if multiple such records are found, it returns PermError.
If you have multiple services to add to SPF, you would need to combine them like mti2935.
Learn more here: https://dmarcly.com/blog/can-i-have-multiple-spf-records-on-my-domain
My DNS provider works perfectly for A records.
I am having great difficulty understanding the syntax of SPF records. I have no prior experience.
The DNS provider supports SPF records and it has two control boxes for information: 'Name' and 'SPF data'.
The A record which functions fine looks like this:
Name: potsandpins.info
IPV4 Address: 45.61.228.207
The SPF record which is giving me no joy looks like this:
Name: potsandpins.info
SPF Data: "v=spf1 a -all" (including the quotation marks)
My emails are received with a red flag in Gmail which says 'Gmail couldn't verify that potsandpins.info actually sent this message'.
Can anyone suggest anything as I've tried all sensible permutations?
You don't seem to currently have an SPF record for potsandpins.info maybe you deleted it because you ran into trouble. Anyway, think of the SPF as a whitelist of any IP addresses or hosts you've given permission to send email on your behalf.
The name would be either the root domain, sometimes designated by the #, or a hostname, foo, which you'd use if you were sending email out as example#foo.example.com.
The SPF data would be the version number (v=spf1), then mechanisms (e.g., a), and then the ip addresses or hosts you'd like to authorize, then the qualifier such as -ALL, which intends a hard fail. You may want to back off from that using ~ALL for now, which intends a softfail. I think it's better to be specific in SPF records as then they're easier to follow exactly what they're authorizing.
Here's an example SPF record. Let's say you wanted to authorize 192.0.2.10 and Google.
v=spf1 ip4:192.0.2.10 include:_spf.google.com ~all
Let's say you wanted to authorize a range of IP addresses and MailChimp:
v=spf1 ip4:192.0.2.0/24 include:servers.mcsv.net ~all
Here's a good article on common mistakes in SPF records.
Then it's important to validate your SPF record using a tool such as the SPF Survey. I like this tool because it gives more detailed, actionable error messages when there's a problem.
if you post the full headers of an example email and indicate any other services you use to send email, then it would be possible to provide more specific advice. For future reference, it's best to provide more details when you post to Stack Overflow as that makes it easier to help. I tried in this post but the information you provided limited how specific the answer could be.
Also, for future reference, it's best to post using example.com rather than a real domain name and use IP addresses from an IPv4 block reserved for documentation.
The blocks 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2),
and 203.0.113.0/24 (TEST-NET-3) are provided for use in documentation.
Anyway, I hope this helps.
I have been getting an error of 'too many DNS lookups' for my site's SPF record.
After I read the suggestions from the following posts, I decided to follow the advice to try and consolidate my services to reduce the number of lookups.
References:
Too many DNS lookups in an SPF record
PermError SPF Permanent Error: Too many DNS lookup
Right now my SPF record is this:
v=spf1 a include:servers.mcsv.net include:_spf.google.com include:spf.mtasv.net include:jangomail.com ~all
I want to consolidate my services so that it ends up being this:
v=spf1 a include:servers.mcsv.net include:_spf.google.com ~all
I would replace my jangomail with Mandrill (part of Mailchimp servers.mcsv.net) for my transactional emails. And mtasv.net is redundant because we don't use this service anymore.
My situation is exactly like the one posed in this question here:
SPF Record for Mandrill
Kaitlin from Mandrill suggests setting up an SPF record to include Mailchimp and Google Apps as per below.
v=spf1 a include:servers.mcsv.net include:_spf.google.com ~all
However, if I do this, does it not end up being more than 10 lookups and therefore still exceeding the limitations of the protocol?
2 - initial TXT and SPF Record
1 - include:servers.mcsv.net
1 -_spf.google.com
include:servers.mcsv.net includes
1- servers.mcsv.net
1- spf1.mcsv.net
1- spf.mandrillapp.com
_spf.google.com includes:
1- _spf.google.com TXT
1- _netblocks.google.com TXT
1- _netblocks2.google.com TXT
1- _netblocks3.google.com TXT
Total 11 lookups.
Is there any other way around this?
Consolidation using include may always end up making too many DNS look-ups as the included domains may include others.
To see my approach on solving this issue, have a look at SPF-tools which reassembles the original SPF record and outputs only the ip4 and ip6 fields into the new one. Feel free to ask me any questions, I will gladly help/extend the documentation in the repository.
I have been reading this page on setting up SPF for my domain sending email through Amazon SES to my subscribers.
http://docs.aws.amazon.com/ses/latest/DeveloperGuide/spf.html
I have added the SPF as suggested :
"spf2.0/pra include:amazonses.com -all"
Afterwards it notes the following:
If you use "-all" as shown in the example above, ISPs may block email from IP addresses that are not listed in your Sender ID record. You therefore must add a record for every IP address that you send email from. As a debugging aid, you can use "~all" instead. When you use "~all", ISPs will typically accept email from IP addresses that are not listed. However, they may flag it. To maximize deliverability, use "-all" and add a record for each IP address.
All of my email is sent from my server for which I know the IP address. As such I want to setup a record for my servers IP - I am simply a little confused as to what I need to be using. Is it simply another record as follows:
"spf2.0/pra include:127.0.0.1 -all"
where 127.0.0.1 is replaced with my servers IP?
I have had a look at the openspf website with little success - a basic idea of what the correct record is would be great.
Thanks !
spf2.0/pra is SenderID syntax. While similar in name to SPF proper, they are different protocols. For an explanation of the differences and the controversy surrounding SPF vs. SenderID, check here.
for the SPF record syntax, check here. The most simple way to add your server to the record is as follows: "v=spf1 ip:xxx.xxx.xxx.xxx include:amazonses.com -all", where xxx.xxx.xxx.xxx should be replaced by your server's IP. Another option, if the A or MX record for your domain points to your mailserver's IP is: "v=spf1 a include:amazonses.com -all" or "v=spf1 mx include:amazonses.com -all". It's also allowed to add them all at the same time.
THE SITUATION:
I have ONE e-mail account per domain.
I use e-mails such as [some-alias]#[one-of-my-domains-name]. (server: mail.[mydomain]:[secure port]
My registrar (OVH) is different from my web host (Arvixe).
My hosting plan is a mutualised .NET hosting.
When I want to reply with one of my aliases, I use Mozilla Thunderbird 'Identities'. (Login = concrete domain mail account, FROM: 'the alias e-mail'.)
(And yes, this is very efficient to avoid getting spams and unwanted mailing lists.)
THE PROBLEM:
For some recipient using some spam protection services, I constantly get the error:
Remote server replied: 550 Blocked by SPF ()
HINTS/QUESTIONS AND IDEAS IN SEARCH FOR A SOLUTION
a friend said I have to configure the TXT spf record of my domain.
using different webmaster tools sites to get DIG info, I never get infos about the 'TXT' record. So I'm not sure: Should I edit this record on the side of my domain registrar or in the side of the hosting ?
Current on my registrar's side the record reads:
v=spf1 a:mail.[mydomain] include:mx.ovh.com ~all
and on my hosting's side it reads:
v=spf1 a:mail.[mydomain] ~all
THE BIG QUESTION:
How can I solve this ?
Thank you for your help
Your SPF record is a statement that the IP(s) sending the email are authorised to send email for your domain. In your case I am assuming you're actually sending through the Arvixe servers. The records should be set in the TXT record for your domain at the registrar (ovh).
So in this case you need at your registrar (ovh) to edit the TXT record for SPF to read:
v=spf1 mx a:mail.[yourdomain] include:spf.arvixe.com -all
Note: The modifiers on 'all' vary - +,-,~,? - and specify whether recipients should consider the tests conclusive and reject mail or not. There's a great (very thorough) howto on SPF here: http://www.zytrax.com/books/dns/ch9/spf.html
What is a bit unusual is that the recipients are rejecting what should be an inconclusive SPF record (e.g. default = accept). One of the core problems with email is that there will always be edge cases where recipient servers exhibit odd behaviour - I hope this helps in this case.
Solution found:
- I actually had to set the SPF or TXT (I set both at the same value) record on the hosting's side.
- I used check-auth#verifier.port25.com , which a mail service to checking if your e-mails are passing some anti-spam filter.
- The reply given by check-auth#verifier.port25.com made me understand the Source IP/HELO hostname were not mail.[mydomain] but [myhostingserversubdomain].arvixe.com here what my SPF and TXP spf records look like:
v=spf1 mx ptr:[thesubdomain].arvixe.com -all
(I think 'mx' is really not necessary in my case.)
EDIT : Slight improvement:
v=spf1 ip4:[[thesubdomain].arvixe.com IP] ptr:[thesubdomain].arvixe.com -all
mx removed since in my case the mx servers have nothing to do with it.
"ptr" requires DNS lookup, so I added the direct IP. I left "ptr" in case the IP changes (since it's managed by my host).