• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 144
  • Last Modified:

SPF Record Creation Assistance

We are looking for advice on a proper SPF record.  Our current record is as follows:
V=spf1 mx ~all

But after doing some research, it seems that we should have a different setup like this:
v=spf1 mx a ip4:xx.xx.xx.xx include:mailchimp.com ?all

1) ip4:xx.xx.xx.xx = our mail server external address
2) include:mailchimp.com = mailchimp sends marketing emails on our behalf, but through their system, not ours

We have used a few of the online SPF creation tools, but all this seemed to have done is confuse us more.  We want to make sure that our emails are received without issue on other systems, but don't want to open things up too much - especially with the mailchimp service.  Any advice/explanation would greatly be appreciated.

  • 2
  • 2
3 Solutions
Leon KammerCommented:
SPF is as follows.

mx means that all MX records listed in the domain are allowed to send mail
a means that all a records can send email.

ipv4: allows you to specify the addresses in CIDR format (IP + subnet) that are allowed to send email

a: allows you to specify which hostnames can send email for this domain.

include: specifies which other domains (SMTP servers) are allowed to send mail for the domain.

~all is a soft fail (anything non compliant will be accepted, but will be marked as non-compliant)
-all is a hard fail (anything non compliant will be rejected)
?all is a neutral mode (anything sent will probably be received)

So, V=spf1 mx ~all specifies that all mx records and all a record ip addresses can send mail for this domain, anything that is not compliant with this, mark as non-compliant, but accept it.

Hope this helps


Marcus BointonCommented:
The whole point of SPF is to prevent forgeries, and any set of rules that doesn't end in '-all' fails to do that to any significant extent. A record ending in '?all' is useless as it says 'these sources are ok, and so is anything else'.

The hardest part of SPF is nailing down your sources - for example if you have users that send via their ISP's email servers, you need to either permit that in your SPF (by including, say gmail's SPF), which introduces a lot of wiggle room for forgery, or don't allow them to do that and require them to only your own mail servers. That's easy to do in a small company, but much harder in a big one.

SPF entries are evaluated left to right, so it's best to list ip4-type parts first as they can be resolved immediately without any DNS lookups, which a, mx and include parts require.
ejscnITAuthor Commented:
OK, 100% of our staff send through the server itself - either through Outlook or through webaccess.  so with that in mind, would you recommend:
v=spf1 mx a ip4:xx.xx.xx.xx/xx include:mailchimp.com -all

Marcus BointonCommented:
Nearly. This will be faster for receiving systems to process (though it has exactly the same meaning):

v=spf1 ip4:xx.xx.xx.xx/xx mx a include:mailchimp.com -all

Open in new window

The include has the biggest overhead, so that should always go last. One thing to look out for is includes that don't themselves end in '-all'; they constitute a back-door into allowing unapproved sources in your domain.
ejscnITAuthor Commented:
Thanks - this is really helpful.  One final (hopefully) follow-up question.  We were recently put on a spam blacklist because (it seems) of the marketing emails send through mailchimp.  Although the email addresses that received the emails signed up to get them, there were between 1500 and 2000 emails sent.  We have since been removed from the spam blacklist after contacting them, but don't want it to happen again.  Coming back full circle, would the "include:mailchimp.com" have any impact on this issue?  As an FYI - mailchimp is send the emails on behalf of information@elizajen.org, so I believe they are appearing to come from our domain.

This reason is one of the mail reasons that we began looking at the current SPF record.  In doing research on the possible causes, we were directed to look at it.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now