Emails – SPF Record

  E-Mails

This article describes in detail how to set up email verification using an SPF record. For more information on verifying email through DNS, see Emails – SPF, DKIM and DMARC.

In this article you will learn:

The SPF Record

The SPF record protects emails from misuse of the domain name by SPAM mail.

A spammer can set the sender address in virtually any way they like. However, domains with an SPF record define exactly which servers are allowed to send mail with their address. Emails from other servers are then evaluated by the recipient’s system as SPAM.

Many email service providers automatically classify messages from domains without an SPF record as SPAM, or reject them completely.

Basic SPF Record

The basic SPF record only works for emails sent from our system. If you have set domain protection with WEDOS Global Protection, or if you also use another email service provider, follow the chapter Detailed SPF Record Settings.

An SPF record is a DNS record of type TXT. If your domain uses WEDOS DNS servers, set it according to the DNS – Domain Records guide. Note that DNS changes will take effect within 1 hour.

The basic SPF record for WEDOS mailservers is:

Name       TTL    Type  Data
(prázdný)  300    TXT   v=spf1 mx a include:_spf.we.wedos.net -all
WEDOS Basic SPF setting detail
Basic SPF setting detail

This record works under the following conditions:

  • You send emails from the website, for example via a form, only via our email services.
  • You only send emails from the email client via our email services, or you have forwarding set on your mailbox (more information in the article Emails – Mailboxes).
  • The domain does not use AAAA records.
  • You are not using WEDOS Global Protection.

If you use other web hosting or email services, or if you have AAAA records set for the domain, continue with the instructions in the chapter Detailed SPF record settings.

Detailed SPF record settings

There can be up to one valid TXT record for SPF in DNS. If you have more than one, none of them work.

If you need to specify multiple servers and/or rules, combine their SPF records into one. To do this, it is enough to write the individual rules between the opening text v=spf1 and the ending -all. Separate rules with spaces.

Example: Mail sent via both Google and WEDOS.
v=spf1 mx a include:_spf.google.com include:_spf.we.wedos.net -all

Rules for individual IP addresses

If you need to include a specific IP address in the record, insert it with the prefix ip4: or ip6:. Do not put a space between the prefix and the address itself.

If you have a domain in the WEDOS Global system, add the Webhosting IPv4 address to the basic record, which you can find in the Service Addresses table in its detail.

v=spf1 mx a ip4:(replace bracket with webhosting IPv4) include:_spf.we.wedos.net -all

If you have an AAAA record set for the domain, but otherwise only use WEDOS web hosting and mail hosting, add the IPv6 address to the basic record.

v=spf1 mx a ip6:(replace bracket with webhosting IPv6) include:_spf.we.wedos.net -all
Example: Mail sent from WEDOS webhosting with IPv6 2a02:2b88:1:4::4.
v=spf1 mx a ip6:2a02:2b88:1:4::4 include:_spf.we.wedos.net -all

Rules for other providers

If you send emails through providers other than WEDOS, find out the form of their SPF record from the documentation or other sources of this provider.

Common Issues

Common issues with setting up an SPF record include:

SPF Doesn’t Work for Multiple Providers

Problem: We entered the SPF records of all our email providers and they are not working.

Reason: A (sub)domain can only have up to one SPF record.

Solution: Merge the records into one according to the instructions in the chapter Detailed SPF record settings.

SPF Doesn’t Work for WEDOS Global Domain

Problem: After adding a domain to WEDOS Global, the SPF record stopped working.

Cause: The IP address of the sending server is different from the IP address listed in the A/AAAA records of the domain.

Solution: Add the Webhosting IP address to the record according to the instructions in the chapter Detailed SPF record settings. You can find it in the Service Addresses table in the Webhosting detail.

WEDOS returns emails with SPF error

Problem: WEDOS returns emails with the following error message:

Recipient address rejected: Please see 
http://www.openspf.net/Why?s=helo;id=sender-domain.tld;ip=XX.XX.XX.XX;r=wes1-mx

Cause: This is a problem with the sender’s SPF: either it is set incorrectly or not at all.

Solution: Until the domain administrator fixes the problem, WEDOS mail servers will reject messages from that domain or mail server.

FAQ

Question: Why don’t you set the SPF record automatically?
Answer: Although a basic SPF record is usually sufficient, we do not have enough information about your mail services to set it correctly in all circumstances. Since setting anSPF record incorrectly can completely block outgoing mail, we leave its setting up to you, because only you have complete information about the email traffic on your domain.

Question: How do I know that a missing SPF record is responsible for mail not being delivered?
Answer: Your emails end up in the recipient’s SPAM, or you receive an undeliverability report mentioning an incorrect or missing SPF record. If you send emails from the website via the mail() function, undeliverability can be either in the SPF record or in a missing or incorrect return path parameter.

Question: If I send emails from a subdomain, is it enough to have an SPF record on the main domain?
Answer: No, create SPF records for each subdomain you want to send emails from as well.

Question: What does the -all part of the record mean?
Answer: -all means that the server should discard all mails that do not match the rules. This is the strictest verification option.

Question: Google documentation says ~all, you have -all. Does it matter?
Answer: The stricter the authentication option (and -all is stricter than ~all), the less likely someone else will successfully impersonate you. The downside is that with the -all option, if you really do send an email from an unverified source for some reason, the recipient will discard it without further questions. With the ~all variant, there is still a chance that the message will get through.

Děkujeme za zpětnou vazbu!