This article describes in detail how to set up email verification using an SPF record. For more information on verifying email through DNS, see Emails – SPF, DKIM and DMARC.
In this article you will learn:
- What is an SPF record and what it’s for
- How to set up a basic SPF record
- How to set up a detailed SPF record
- Common issues
- Frequently Asked Questions
The SPF Record
The SPF record protects emails from misuse of the domain name by SPAM mail.
A spammer can set the sender address in virtually any way they like. However, domains with an SPF record define exactly which servers are allowed to send mail with their address. Emails from other servers are then evaluated by the recipient’s system as SPAM.
Many email service providers automatically classify messages from domains without an SPF record as SPAM, or reject them completely.
Basic SPF Record
The basic SPF record only works for emails sent from our system. If you have set domain protection with WEDOS Global Protection, or if you also use another email service provider, follow the chapter Detailed SPF Record Settings.
An SPF record is a DNS record of type TXT. If your domain uses WEDOS DNS servers, set it according to the DNS – Domain Records guide. Note that DNS changes will take effect within 1 hour.
The basic SPF record for WEDOS mailservers is:
Name TTL Type Data (prázdný) 300 TXT v=spf1 mx a include:_spf.we.wedos.net -all
This record works under the following conditions:
- You send emails from the website, for example via a form, only via our email services.
- You only send emails from the email client via our email services, or you have forwarding set on your mailbox (more information in the article Emails – Mailboxes).
- The domain does not use AAAA records.
- You are not using WEDOS Global Protection.
If you use other web hosting or email services, or if you have AAAA records set for the domain, continue with the instructions in the chapter Detailed SPF record settings.
Detailed SPF record settings
There can be up to one valid TXT record for SPF in DNS. If you have more than one, none of them work.
If you need to specify multiple servers and/or rules, combine their SPF records into one. To do this, it is enough to write the individual rules between the opening text v=spf1 and the ending -all. Separate rules with spaces.
Example: Mail sent via both Google and WEDOS.
Rules for individual IP addresses
If you need to include a specific IP address in the record, insert it with the prefix ip4: or ip6:. Do not put a space between the prefix and the address itself.
If you have a domain in the WEDOS Global system, add the Webhosting IPv4 address to the basic record, which you can find in the Service Addresses table in its detail.
v=spf1 mx a ip4:(replace bracket with webhosting IPv4) include:_spf.we.wedos.net -all
If you have an AAAA record set for the domain, but otherwise only use WEDOS web hosting and mail hosting, add the IPv6 address to the basic record.
v=spf1 mx a ip6:(replace bracket with webhosting IPv6) include:_spf.we.wedos.net -all
Example: Mail sent from WEDOS webhosting with IPv6 2a02:2b88:1:4::4.
Rules for other providers
If you send emails through providers other than WEDOS, find out the form of their SPF record from the documentation or other sources of this provider.
Common Issues
Common issues with setting up an SPF record include:
- SPF failure for multiple providers
- Email delivery problems after setting up WEDOS Global
- WEDOS returns emails with SPF error
SPF Doesn’t Work for Multiple Providers
Problem: We entered the SPF records of all our email providers and they are not working.
Reason: A (sub)domain can only have up to one SPF record.
Solution: Merge the records into one according to the instructions in the chapter Detailed SPF record settings.
SPF Doesn’t Work for WEDOS Global Domain
Problem: After adding a domain to WEDOS Global, the SPF record stopped working.
Cause: The IP address of the sending server is different from the IP address listed in the A/AAAA records of the domain.
Solution: Add the Webhosting IP address to the record according to the instructions in the chapter Detailed SPF record settings. You can find it in the Service Addresses table in the Webhosting detail.
WEDOS returns emails with SPF error
Problem: WEDOS returns emails with the following error message:
Recipient address rejected: Please see http://www.openspf.net/Why?s=helo;id=sender-domain.tld;ip=XX.XX.XX.XX;r=wes1-mx
Cause: This is a problem with the sender’s SPF: either it is set incorrectly or not at all.
Solution: Until the domain administrator fixes the problem, WEDOS mail servers will reject messages from that domain or mail server.
FAQ
Question: Why don’t you set the SPF record automatically?
Answer: Although a basic SPF record is usually sufficient, we do not have enough information about your mail services to set it correctly in all circumstances. Since setting anSPF record incorrectly can completely block outgoing mail, we leave its setting up to you, because only you have complete information about the email traffic on your domain.
Question: How do I know that a missing SPF record is responsible for mail not being delivered?
Answer: Your emails end up in the recipient’s SPAM, or you receive an undeliverability report mentioning an incorrect or missing SPF record. If you send emails from the website via the mail() function, undeliverability can be either in the SPF record or in a missing or incorrect return path parameter.
Question: If I send emails from a subdomain, is it enough to have an SPF record on the main domain?
Answer: No, create SPF records for each subdomain you want to send emails from as well.
Question: What does the -all part of the record mean?
Answer: -all means that the server should discard all mails that do not match the rules. This is the strictest verification option.
Question: Google documentation says ~all, you have -all. Does it matter?
Answer: The stricter the authentication option (and -all is stricter than ~all), the less likely someone else will successfully impersonate you. The downside is that with the -all option, if you really do send an email from an unverified source for some reason, the recipient will discard it without further questions. With the ~all variant, there is still a chance that the message will get through.