Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


SPF Record Creation Assistance

Posted on 2014-02-10
Medium Priority
Last Modified: 2016-05-22
We are looking for advice on a proper SPF record.  Our current record is as follows:
V=spf1 mx ~all

But after doing some research, it seems that we should have a different setup like this:
v=spf1 mx a ip4:xx.xx.xx.xx include:mailchimp.com ?all

1) ip4:xx.xx.xx.xx = our mail server external address
2) include:mailchimp.com = mailchimp sends marketing emails on our behalf, but through their system, not ours

We have used a few of the online SPF creation tools, but all this seemed to have done is confuse us more.  We want to make sure that our emails are received without issue on other systems, but don't want to open things up too much - especially with the mailchimp service.  Any advice/explanation would greatly be appreciated.

Question by:ejscn
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Accepted Solution

Leon Kammer earned 672 total points
ID: 39847689
SPF is as follows.

mx means that all MX records listed in the domain are allowed to send mail
a means that all a records can send email.

ipv4: allows you to specify the addresses in CIDR format (IP + subnet) that are allowed to send email

a: allows you to specify which hostnames can send email for this domain.

include: specifies which other domains (SMTP servers) are allowed to send mail for the domain.

~all is a soft fail (anything non compliant will be accepted, but will be marked as non-compliant)
-all is a hard fail (anything non compliant will be rejected)
?all is a neutral mode (anything sent will probably be received)

So, V=spf1 mx ~all specifies that all mx records and all a record ip addresses can send mail for this domain, anything that is not compliant with this, mark as non-compliant, but accept it.

Hope this helps


LVL 25

Assisted Solution

by:Marcus Bointon
Marcus Bointon earned 1328 total points
ID: 39847813
The whole point of SPF is to prevent forgeries, and any set of rules that doesn't end in '-all' fails to do that to any significant extent. A record ending in '?all' is useless as it says 'these sources are ok, and so is anything else'.

The hardest part of SPF is nailing down your sources - for example if you have users that send via their ISP's email servers, you need to either permit that in your SPF (by including, say gmail's SPF), which introduces a lot of wiggle room for forgery, or don't allow them to do that and require them to only your own mail servers. That's easy to do in a small company, but much harder in a big one.

SPF entries are evaluated left to right, so it's best to list ip4-type parts first as they can be resolved immediately without any DNS lookups, which a, mx and include parts require.

Author Comment

ID: 39847836
OK, 100% of our staff send through the server itself - either through Outlook or through webaccess.  so with that in mind, would you recommend:
v=spf1 mx a ip4:xx.xx.xx.xx/xx include:mailchimp.com -all

LVL 25

Assisted Solution

by:Marcus Bointon
Marcus Bointon earned 1328 total points
ID: 39847850
Nearly. This will be faster for receiving systems to process (though it has exactly the same meaning):

v=spf1 ip4:xx.xx.xx.xx/xx mx a include:mailchimp.com -all

Open in new window

The include has the biggest overhead, so that should always go last. One thing to look out for is includes that don't themselves end in '-all'; they constitute a back-door into allowing unapproved sources in your domain.

Author Comment

ID: 39847889
Thanks - this is really helpful.  One final (hopefully) follow-up question.  We were recently put on a spam blacklist because (it seems) of the marketing emails send through mailchimp.  Although the email addresses that received the emails signed up to get them, there were between 1500 and 2000 emails sent.  We have since been removed from the spam blacklist after contacting them, but don't want it to happen again.  Coming back full circle, would the "include:mailchimp.com" have any impact on this issue?  As an FYI - mailchimp is send the emails on behalf of information@elizajen.org, so I believe they are appearing to come from our domain.

This reason is one of the mail reasons that we began looking at the current SPF record.  In doing research on the possible causes, we were directed to look at it.


Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question