SPF Record Creation Assistance

Posted on 2014-02-10
Last Modified: 2016-05-22
We are looking for advice on a proper SPF record.  Our current record is as follows:
V=spf1 mx ~all

But after doing some research, it seems that we should have a different setup like this:
v=spf1 mx a ip4:xx.xx.xx.xx ?all

1) ip4:xx.xx.xx.xx = our mail server external address
2) = mailchimp sends marketing emails on our behalf, but through their system, not ours

We have used a few of the online SPF creation tools, but all this seemed to have done is confuse us more.  We want to make sure that our emails are received without issue on other systems, but don't want to open things up too much - especially with the mailchimp service.  Any advice/explanation would greatly be appreciated.

Question by:ejscn
  • 2
  • 2

Accepted Solution

Leon Kammer earned 168 total points
ID: 39847689
SPF is as follows.

mx means that all MX records listed in the domain are allowed to send mail
a means that all a records can send email.

ipv4: allows you to specify the addresses in CIDR format (IP + subnet) that are allowed to send email

a: allows you to specify which hostnames can send email for this domain.

include: specifies which other domains (SMTP servers) are allowed to send mail for the domain.

~all is a soft fail (anything non compliant will be accepted, but will be marked as non-compliant)
-all is a hard fail (anything non compliant will be rejected)
?all is a neutral mode (anything sent will probably be received)

So, V=spf1 mx ~all specifies that all mx records and all a record ip addresses can send mail for this domain, anything that is not compliant with this, mark as non-compliant, but accept it.

Hope this helps


LVL 25

Assisted Solution

by:Marcus Bointon
Marcus Bointon earned 332 total points
ID: 39847813
The whole point of SPF is to prevent forgeries, and any set of rules that doesn't end in '-all' fails to do that to any significant extent. A record ending in '?all' is useless as it says 'these sources are ok, and so is anything else'.

The hardest part of SPF is nailing down your sources - for example if you have users that send via their ISP's email servers, you need to either permit that in your SPF (by including, say gmail's SPF), which introduces a lot of wiggle room for forgery, or don't allow them to do that and require them to only your own mail servers. That's easy to do in a small company, but much harder in a big one.

SPF entries are evaluated left to right, so it's best to list ip4-type parts first as they can be resolved immediately without any DNS lookups, which a, mx and include parts require.

Author Comment

ID: 39847836
OK, 100% of our staff send through the server itself - either through Outlook or through webaccess.  so with that in mind, would you recommend:
v=spf1 mx a ip4:xx.xx.xx.xx/xx -all

LVL 25

Assisted Solution

by:Marcus Bointon
Marcus Bointon earned 332 total points
ID: 39847850
Nearly. This will be faster for receiving systems to process (though it has exactly the same meaning):

v=spf1 ip4:xx.xx.xx.xx/xx mx a -all

Open in new window

The include has the biggest overhead, so that should always go last. One thing to look out for is includes that don't themselves end in '-all'; they constitute a back-door into allowing unapproved sources in your domain.

Author Comment

ID: 39847889
Thanks - this is really helpful.  One final (hopefully) follow-up question.  We were recently put on a spam blacklist because (it seems) of the marketing emails send through mailchimp.  Although the email addresses that received the emails signed up to get them, there were between 1500 and 2000 emails sent.  We have since been removed from the spam blacklist after contacting them, but don't want it to happen again.  Coming back full circle, would the "" have any impact on this issue?  As an FYI - mailchimp is send the emails on behalf of, so I believe they are appearing to come from our domain.

This reason is one of the mail reasons that we began looking at the current SPF record.  In doing research on the possible causes, we were directed to look at it.


Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question