Check for SPF records of a domain name

We have a web application that will allow users to use their own email address (domain name) to send emails.  We are requesting their add the SPF record below, so that when our server sends an email using their domain name it checks and OK the email.

v=spf1 ?all


1. Is this process correct ?
2. Is the SPF above correct ?
3. How can we check that the SPF record has been added to their domain DNS records ?
4. What to do if they don't have a personal domain name and use google or yahoo email ?

Help is appreciated.
Who is Participating?
Chris DentPowerShell DeveloperCommented:
1. Yes.

2. Syntactically, yes. There isn't an SPF record at that name though (so therefore nothing to include), is that intentional obfuscation?

3. That's complicated, you'd need something that understands SPF records (simple string match testing of the TXT record isn't very reliable). You also need something that can pick up a TXT record, that depends on the language you're developing in of course. Perhaps take a look at this:

4. Then you're out of luck I'm afraid. It's a bit black and white, but you can only permit spoofing if the client controls the SPF record.

Simon Butler (Sembee)ConsultantCommented:
If the client does not have their own domain name, then you simply cannot allow them to use your service. You are basically spoofing the address, which is considered a major problem on the internet, hence the use of SPF records to combat it. Google etc are very protective and you will find emails get rejected.

As for checking the SPF records, they are just DNS records, so you can use any of the numerous online DNS lookup tools to confirm they are in place.

I have left your first two points to last, because there is no single answer to those questions.
If you get SPF records wrong then it can mean that emails get dropped by the sites using them as a hard failure.
Furthermore, there is no single answer to SPF records, hence the use of wizards online to create them. Your records do not take in to account how a client may send their email, instead you are opening them to spoofing. If a client already has SPF records and then replaces that with the one you have outlined they could be causing themselves further problems.

Rather than dictating the SPF record, you should point the client at one of the many wizards online and ask them to include your server address in the record. That will allow them to correctly setup the record for their mail delivery method.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.