How to set up a SPF record

Posted on 2008-10-06
Last Modified: 2012-06-27
I need help with something I do not really understand.  I am getting over a thousand delivery errors within a few minutes because some spammer is using one of my email address as the "reply to" address on the junk they are sending out.  I understand that the SPF record is supposed to help prevent this from happening, but I can't seem to figure out how to set this up properly.

Let me first describe the environment I have:

Four Dell Windows2003 servers:
Exchange2003 Server  ES01  xx.xx.xx.157
Domain Controller Server  DC01  xx.xx.xx.190
Web Server  WS01  xx.xx.xx.131 - 150
Web Server  WS02  xx.xx.xx.156
I am hosting several domain names on the web servers and accept email for all of them on the Exchange server.

My understanding is that I should add the SPF record to the DNS server on DC01.  (Is that a correct assumption?)

How do I include all the domains in the SPF record?  (Or do I create multiple records for each domain?)

Initially, I had just:

v=spf1 mx ~all

in the DNS of the primary domain on DC01.  I have also tried other variations:
v=spf1 mx a:ES01 ~all
v=spf1 mx ptr ip4: ~all

None seem to be working based on testing at: 

Can anyone walk me through what this record (or records) need to look like so that I can verify it works via the microsoft test site listed above?

Question by:grhelm
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 2

Accepted Solution

pablovr earned 200 total points
ID: 22654845
When I did it, I established the SPF record in the ISP´s DNS, not in my Domain Controller.

Here is a page with information and examples regarding SPF:

Assisted Solution

ScottGranado earned 300 total points
ID: 22664612
The record you have in place
"v=spf1 mx ~all"  should probaly be "v=spf1 mx -all"

The diffrence is that the tilde means that if it doesn't match then the server can still let the email pass.  With the minus you are saying.  If the sending server does not match one of my MX servers for my domain then you should drop it.  this is what the -all is for.

Author Comment

ID: 22670781

I have updated the entry to "v=spf1 mx -all"  However, when I run the Microsoft test, I still get:
No SPF Record Found. A and MX Records Available
No SPF record has been found for the domain However, MX and/or A records currently exist for this domain.
Addresses Listed in A records
Mail Servers Listed in MX Records xx.xx.xx.157
This information may be of assistance in creating your new SPF record.
Does adding/changing the SPF entry have an immediate affect or does it take some sort of action (or time) to implement the change?
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Assisted Solution

ScottGranado earned 300 total points
ID: 22671299
Hey Grhelm,

a txt record such as a spf has TTL values associated as well.  this means that it does take time to propagate back out if you change the spf record and its cached.  The best bet is to try another spf checker that you've never used before, and therefore, will not have your query cached.  Try:

Also, reviewing the error message you posted, it is actually saying there is no spf record.  not that the spf record is incorrect.  Make sure in DNS for your domain the SPF is  TXT record.  You can check this by going to and putting in your domain in the DNS Lookup tool and choosing TXT from the drop down.

Author Comment

ID: 22671430

When I go to, the site is preloded with the domain of my ISP???

The second site gives me the folllowing reponse:
; <<>> DiG 9.2.4 <<>> -t TXT
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57686
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0


;; AUTHORITY SECTION: 10800 IN SOA 2006090400 28800 7200 604800 86400

;; Query time: 53 msec
;; WHEN: Wed Oct 8 11:08:29 2008
;; MSG SIZE rcvd: 96
I have attached a screenshot of the SPF entry.


Expert Comment

ID: 22671547
yea it defintily doesn't look like your DNS server is sending out your TXT record:

This is what i get when i look up the txt record for
> nslookup
> set type=txt
Server:  xxxxxxx
        primary name server =
        responsible mail addr =
        serial  = 2006090400
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)

do you have a TXT record on your public facing authoritative dns server?

Author Comment

ID: 22671573
What is a "public facing authoritative dns server"??

AI have a domin controller and that is where I have been putting this stuff...


Author Comment

ID: 22671594
"All I have..."

Assisted Solution

ScottGranado earned 300 total points
ID: 22671611
is your domain controller handling the DNS for this domain?  is this server accessible from the net?  If the domain your having problems with is then the NS server is pointing to so you would have to modify the SPF record on this server.

Author Comment

ID: 22671686
Hmm, is at

And it does look like they give me the option to set up a SPF record there...

I guess now  I need to figure out how to use their "wizard" to set this up....

Author Comment

ID: 22671754
The wizard created this:

v=spf1 a mx -all  

(where is the ISP)

Assisted Solution

pablovr earned 200 total points
ID: 22672600
Is I said at the beginning, you should be doing this at your ISP´s DNS.

Author Comment

ID: 22673231

Okay, I'll give you that.

It looks like the one I created above is now visable, do I need to do the same thing for every domain name I have?

Expert Comment

ID: 22673627
yes thats correct

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Powershell help in Exchange 2013 4 39
Skype for Business server 6 49
RPC Proxy can't be pinged 4 34
PowerShell:  Use of subproperties in a Select statement 7 33
Utilizing an array to gracefully append to a list of EmailAddresses
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question